Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
C O N T E N T S About This Guide Contents xv Audience xv xv Comply with Local and National Electrical Codes Organization xvii Conventions xviii Related Documentation xvi xviii Obtaining Documentation and Submitting a Service Request CHAPTER 1 Introducing the Sensor Contents xix 1-1 1-1 How the Sensor Functions 1-1 Capturing Network Traffic 1-1 Your Network Topology 1-3 Correctly Deploying the Sensor 1-3 Tuning the IPS 1-3 Sensor Interfaces 1-4 Understanding Sensor Interfaces 1-4 Command a
Contents Connecting an Appliance to a Terminal Server 1-22 Time Sources and the Sensor 1-23 The Sensor and Time Sources 1-23 Synchronizing IPS Module System Clocks with the Parent Device System Clock Verifying the Sensor is Synchronized with the NTP Server 1-24 Correcting the Time on the Sensor 1-24 CHAPTER 2 Preparing the Appliance for Installation Installation Preparation 2-1 2-1 Safety Recommendations 2-2 Safety Guidelines 2-2 Electricity Safety Guidelines 2-2 Preventing Electrostatic Discharge
Contents Hardware Bypass 4-4 4GE Bypass Interface Card 4-5 Hardware Bypass Configuration Restrictions 4-5 Hardware Bypass and Link Changes and Drops 4-6 Front and Back Panel Features Specifications Accessories 4-7 4-9 4-10 Rack Mounting 4-10 Installing the IPS 4260 in a 4-Post Rack Installing the IPS 4260 in a 2-Post Rack Installing the IPS 4260 Installing and Removing Interface Cards Installing and Removing the Power Supply 5 Installing the IPS 4270-20 Contents 4-14 4-16 Removing and Replacing the
Contents Removing and Replacing the Chassis Cover Accessing the Diagnostic Panel 5-42 Installing and Removing Interface Cards 5-43 Installing and Removing the Power Supply Installing and Removing Fans 6 Installing the IPS 4345 and IPS 4360 Contents 5-45 5-50 Troubleshooting Loose Connections CHAPTER 5-39 5-52 6-1 6-1 Installation Notes and Caveats Product Overview Specifications Accessories 6-1 6-2 6-2 6-4 Front and Back Panel Features 6-5 Rack Mount Installation 6-9 Rack-Mounting Guid
Contents Removing and Installing the Core IPS SSP 7-14 Removing and Installing the Power Supply Module Removing and Installing the Fan Module Installing the Slide Rail Kit Hardware 7-16 7-18 7-19 Installing and Removing the Slide Rail Kit 7-20 Package Contents 7-21 Installing the Chassis in the Rack 7-21 Removing the Chassis from the Rack 7-27 Rack-Mounting the Chassis Using the Fixed Rack Mount Installing the Cable Management Brackets Troubleshooting Loose Connections 8 7-32 7-33 IPS 4500 Series
Contents Installing SFP/SFP+ Modules 9-11 Verifying the Status of the ASA 5585-X IPS SSP 9-12 Removing and Replacing the ASA 5585-X IPS SSP APPENDIX A Logging In to the Sensor Contents A-1 A-1 Supported User Roles A-1 Logging In to the Appliance A-2 Connecting an Appliance to a Terminal Server Logging In to the ASA 5500 AIP SSP B A-5 Logging In to the ASA 5585-X IPS SSP A-6 Initializing the Sensor Contents A-3 A-4 Logging In to the ASA 5500-X IPS SSP Logging In to the Sensor APPENDIX
Contents Understanding Licensing C-9 Service Programs for IPS Products C-9 Obtaining and Installing the License Key Using the IDM or the IME Obtaining and Installing the License Key Using the CLI C-11 Obtaining a License for the IPS 4270-20 C-14 Licensing the ASA 5500-X IPS SSP C-15 Uninstalling the License Key C-15 APPENDIX D Upgrading, Downgrading, and Installing System Images Contents C-10 D-1 D-1 System Image Notes and Caveats D-1 Upgrades, Downgrades, and System Images Supported FTP and HTTP/
Contents Understanding Preventive Maintenance E-2 Creating and Using a Backup Configuration File E-2 Backing Up and Restoring the Configuration File Using a Remote Server Creating the Service Account E-5 Disaster Recovery E-3 E-6 Recovering the Password E-7 Understanding Password Recovery E-7 Recovering the Password for the Appliance E-8 Using the GRUB Menu E-8 Using ROMMON E-8 Recovering the ASA 5500-X IPS SSP Password E-9 Recovering the ASA 5585-X IPS SSP Password E-11 Disabling Password Recovery E-13
Contents Physical Connectivity, SPAN, or VACL Port Issue E-29 Unable to See Alerts E-31 Sensor Not Seeing Packets E-32 Cleaning Up a Corrupted SensorApp Configuration E-34 Blocking E-35 Troubleshooting Blocking E-35 Verifying ARC is Running E-36 Verifying ARC Connections are Active E-37 Device Access Issues E-39 Verifying the Interfaces and Directions on the Network Device E-40 Blocking Not Occurring for a Signature E-41 Verifying the Master Blocking Sensor Configuration E-42 Logging E-44 Enabling Debug Lo
Contents Failover Scenarios E-63 Health and Status Information E-64 The ASA 5500-X IPS SSP and the Normalizer Engine E-72 The ASA 5500-X IPS SSP and Memory Usage E-73 The ASA 5500-X IPS SSP and Jumbo Packet Frame Size E-73 The ASA 5500-X IPS SSP and Jumbo Packets E-73 TCP Reset Differences Between IPS Appliances and ASA IPS Modules E-74 Troubleshooting the ASA 5585-X IPS SSP E-74 Failover Scenarios E-74 Traffic Flow Stopped on IPS Switchports E-76 Health and Status Information E-76 The ASA 5585-X IPS SSP
Contents 10/100BaseT and 10/100/1000BaseT Connectors Console Port (RJ-45) RJ-45 to DB-9 or DB-25 F-1 F-2 F-3 GLOSSARY INDEX Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.
Contents Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.
About This Guide Published: March 31, 2010 Revised: May 6, 2013, OL-24002-01 Contents This guide describes how to install appliances and modules that support Cisco IPS 7.1. It includes a glossary that contains expanded acronyms and pertinent IPS terms. It is part of the documentation set for Cisco Intrusion Prevention System 7.1. Use this guide in conjunction with the documents listed in Related Documentation, page xviii.
Chapter Contents Comply with Local and National Electrical Codes Warning Installation of the equipment must comply with local and national electrical codes. Statement 1074 Waarschuwing Bij installatie van de apparatuur moet worden voldaan aan de lokale en nationale elektriciteitsvoorschriften. Varoitus Laitteisto tulee asentaa paikallisten ja kansallisten sähkömääräysten mukaisesti. Attention L'équipement doit être installé conformément aux normes électriques nationales et locales.
Chapter Contents Organization This guide includes the following sections: Section Title Description 1 “Introducing the Sensor” Describes IPS appliances and modules. 2 “Preparing the Appliance for Installation” Describes how to prepare to install appliances. 3 “Installing the IPS 4270-20” Describes how to install the IPS 4270-20. 4 “Installing the IPS 4345 and IPS 4360” Describes how to install the IPS 4345 and the IPS 4360.
Chapter Contents Conventions This document uses the following conventions: Convention Indication bold font Commands and keywords and user-entered text appear in bold font. italic font Document titles, new or emphasized terms, and arguments for which you supply values are in italic font. [ ] Elements in square brackets are optional. {x | y | z } Required alternative keywords are grouped in braces and separated by vertical bars.
Chapter Contents For a complete list of the Cisco ASA 5500 series documentation and where to find it, refer to the following URL: http://www.cisco.com/en/US/docs/security/asa/roadmap/asaroadmap.html Obtaining Documentation and Submitting a Service Request For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at: http://www.
Chapter Contents Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.
CH A P T E R 1 Introducing the Sensor Contents This chapter introduces the sensor and provides information you should know before you install the sensor. In this guide, the term sensor refers to all models unless noted otherwise. For a complete list of supported sensors and their model numbers, see Supported Sensors, page 1-19.
Chapter 1 Introducing the Sensor How the Sensor Functions Figure 1-1 Comprehensive Deployment Solutions Public services segment Multiple IPS sensors deliver a highly scalable, load-balanced solution via Cisco Etherchannel technology on Cisco Catalyst Switches Attacker Sensor deployed in IDS mode Sensor deployed in IPS mode Main campus Internet Sensor deployed in IPS mode Sensor deployed in IPS mode Campus core 148416 Service provider, partner, or branch office network Sensor deployed in hybri
Chapter 1 Introducing the Sensor How the Sensor Functions • Generate IP session logs, session replay, and trigger packets display. IP session logs are used to gather information about unauthorized use. IP log files are written when events occur that you have configured the appliance to look for. • Implement multiple packet drop actions to stop worms and viruses.
Chapter 1 Introducing the Sensor How the Sensor Functions • Filter out known false positives caused by specialized software, such as vulnerability scanner and load balancers by one of the following methods: – You can configure the sensor to ignore the alerts from the IP addresses of the scanner and load balancer. – You can configure the sensor to allow these alerts and then use the IME to filter out the false positives. • Filter the Informational alerts.
Chapter 1 Introducing the Sensor How the Sensor Functions There are three interface roles: • Command and control • Sensing • Alternate TCP reset There are restrictions on which roles you can assign to specific interfaces and some interfaces have multiple roles. You can configure any sensing interface to any other sensing interface as its TCP reset interface. The TCP reset interface can also serve as an IDS (promiscuous) sensing interface at the same time.
Chapter 1 Introducing the Sensor How the Sensor Functions Table 1-1 Command and Control Interfaces (continued) Sensor Command and Control Interface IPS 4260 Management 0/0 IPS 4270-20 Management 0/0 IPS 4345 Management 0/0 IPS 4360 Management 0/0 IPS 4510 Management 0/01 IPS 4520 Management 0/01 1. The 4500 series sensors have two management ports, Management 0/0 and Management 0/1, but Management 0/1 is reserved for future use.
Chapter 1 Introducing the Sensor How the Sensor Functions Table 1-2 Interface Support (continued) Interfaces Not Supporting Inline (Command and Control Port) Base Chassis Added Interface Cards Interfaces Supporting Inline VLAN Pairs (Sensing Ports) Combinations Supporting Inline Interface Pairs ASA 5500 AIP SSM-40 — GigabitEthernet 0/1 by security context instead of VLAN pair or inline interface pair GigabitEthernet 0/1 by security context instead of VLAN pair or inline interface pair ASA 5512-
Chapter 1 Introducing the Sensor How the Sensor Functions Table 1-2 Interface Support (continued) Interfaces Not Supporting Inline (Command and Control Port) Base Chassis Added Interface Cards Interfaces Supporting Inline VLAN Pairs (Sensing Ports) IPS 4255 — GigabitEthernet 0/0 GigabitEthernet 0/1 GigabitEthernet 0/2 GigabitEthernet 0/3 0/0<->0/1 0/0<->0/2 0/0<->0/3 0/1<->0/2 0/1<->0/3 0/2<->0/3 Management 0/0 IPS 4260 — GigabitEthernet 0/1 N/A Management 0/0 IPS 4260 4GE-BP GigabitEth
Chapter 1 Introducing the Sensor How the Sensor Functions Table 1-2 Interface Support (continued) Base Chassis Added Interface Cards IPS 4270-20 2SX IPS 4270-20 IPS 4345 Interfaces Supporting Inline VLAN Pairs (Sensing Ports) Slot 1 GigabitEthernet 3/0 GigabitEthernet 3/1 Slot 2 GigabitEthernet 4/0 GigabitEthernet 4/1 10GE Slot 1 TenGigabitEthernet 5/0 TenGigabitEthernet 5/1 Slot 2 TenGigabitEthernet 7/0 TenGigabitEthernet 7/1 — GigabitEthernet 0/0 GigabitEthernet 0/1 Combinations Suppo
Chapter 1 Introducing the Sensor How the Sensor Functions Table 1-2 Interface Support (continued) Base Chassis Added Interface Cards Interfaces Supporting Inline VLAN Pairs (Sensing Ports) IPS 4510 — GigabitEthernet 0/0 GigabitEthernet 0/1 Combinations Supporting Inline Interface Pairs Interfaces Not Supporting Inline (Command and Control Port) All sensing ports can be paired together Management 0/0 Management 0/16 All sensing ports can be paired together Management 0/0 Management 0/16 Giga
Chapter 1 Introducing the Sensor How the Sensor Functions TCP Reset Interfaces This section explains the TCP reset interfaces and when to use them. It contains the following topics: • Understanding Alternate TCP Reset Interfaces, page 1-11 • Designating the Alternate TCP Reset Interface, page 1-12 Understanding Alternate TCP Reset Interfaces Note The alternate TCP reset interface setting is ignored in inline interface or inline VLAN pair mode, because resets are sent inline in these modes.
Chapter 1 Introducing the Sensor How the Sensor Functions Table 1-3 Alternate TCP Reset Interfaces (continued) Sensor Alternate TCP Reset Interface IPS 4240 Any sensing interface IPS 4255 Any sensing interface IPS 4260 Any sensing interface IPS 4270-20 Any sensing interface IPS 4345 Any sensing interface IPS 4360 Any sensing interface IPS 4510 Any sensing interface IPS 4520 Any sensing interface Designating the Alternate TCP Reset Interface Note There is only one sensing interface o
Chapter 1 Introducing the Sensor How the Sensor Functions – For Gigabit copper interfaces (1000-TX on the IPS 4240, IPS 4255, IPS 4260, IPS 4270-20,, IPS 4345, IPS 4360, IPS 4510, and IPS 4520), valid speed settings are 10 Mbps, 100 Mbps, 1000 Mbps, and auto. Valid duplex settings are full, half, and auto. – For Gigabit (copper or fiber) interfaces, if the speed is configured for 1000 Mbps, the only valid duplex setting is auto.
Chapter 1 Introducing the Sensor How the Sensor Functions – The command and control interface cannot serve as the alternate TCP reset interface for a sensing interface. – A sensing interface cannot serve as its own alternate TCP reset interface. – You can only configure interfaces that are capable of TCP resets as alternate TCP reset interfaces.
Chapter 1 Introducing the Sensor How the Sensor Functions • VLAN Group Mode, page 1-18 • Deploying VLAN Groups, page 1-18 Promiscuous Mode In promiscuous mode, packets do not flow through the sensor. The sensor analyzes a copy of the monitored traffic rather than the actual forwarded packet. The advantage of operating in promiscuous mode is that the sensor does not affect the packet flow with the forwarded traffic.
Chapter 1 Introducing the Sensor How the Sensor Functions The following configuration uses one SPAN session to send all of the traffic on any of the specified VLANs to all of the specified ports. Each port configuration only allows a particular VLAN or VLANs to pass.
Chapter 1 Introducing the Sensor How the Sensor Functions Figure 1-3 illustrates inline interface pair mode: Figure 1-3 Inline Interface Pair Mode Traffic passes through interface pair Router 253444 VLAN A Switch Sensor Host Inline VLAN Pair Mode Note The ASA IPS modules (,ASA 5500 AIP SSM, ASA 5500-X IPS SSP, and ASA 5585-X IPS SSP) do not support inline VLAN pairs. You can associate VLANs in pairs on a physical interface. This is known as inline VLAN pair mode.
Chapter 1 Introducing the Sensor How the Sensor Functions VLAN Group Mode Note The ASA IPS modules (ASA 5500 AIP SSM, ASA 5500-X IPS SSP, and ASA 5585-X IPS SSP) do not support VLAN groups mode. You can divide each physical interface or inline interface into VLAN group subinterfaces, each of which consists of a group of VLANs on that interface. Analysis Engine supports multiple virtual sensors, each of which can monitor one or more of these interfaces.
Chapter 1 Introducing the Sensor Supported Sensors You can also connect appliances between two switches. There are two variations. In the first variation, the two ports are configured as access ports, so they carry a single VLAN. In this way, the sensor bridges a single VLAN between the two switches. In the second variation, the two ports are configured as trunk ports, so they can carry multiple VLANs. In this configuration, the sensor bridges multiple VLANs between the two switches.
Chapter 1 Introducing the Sensor IPS Appliances Table 1-4 Supported Sensors (continued) Model Name Part Number Optional Interfaces IPS 4520-K9 — ASA 5500 AIP SSM-10 ASA-SSM-AIP-10-K9 — ASA 5500 AIP SSM-20 ASA-SSM-AIP-20-K9 — ASA 5500 AIP SSM-40 ASA-SSM-AIP-40-K9 — ASA 5512-X ASA5512-K7 ASA5512-K8 ASA5512-DC-K8 ASA-IC-6GE-CU-A= ASA-IC-6GE-SFP-A= ASA 5515-X ASA5515-K7 ASA5515-K8 ASA5515-DC ASA5515-DC-K8 ASA-IC-6GE-CU-A= ASA-IC-6GE-SFP-A= ASA 5525-X ASA5525-K7 ASA5525-K8 ASA5525-K9 AS
Chapter 1 Introducing the Sensor IPS Appliances Introducing the IPS Appliance Note The currently supported Cisco IPS appliances are the IPS 4240, IPS 4255, and IPS 4260 [IPS 7.0(x) and later and IPS 7.1(5) and later], IPS 4270-20 [IPS 7.1(3) and later], IPS 4345 and IPS 4360 [IPS 7.1(3) and later], and IPS 4510 and IPS 4520 [IPS 7.1(4) and later]. The IPS appliance is a high-performance, plug-and-play device. The appliance is a component of the IPS, a network-based, real-time intrusion prevention system.
Chapter 1 Introducing the Sensor IPS Appliances Appliance Restrictions The following restrictions apply to using and operating the appliance: • The appliance is not a general purpose workstation. • Cisco Systems prohibits using the appliance for anything other than operating Cisco IPS. • Cisco Systems prohibits modifying or installing any hardware or software in the appliance that is not part of the normal operation of the Cisco IPS.
Chapter 1 Introducing the Sensor Time Sources and the Sensor Time Sources and the Sensor This section explains the importance of having a reliable time source for the sensors and how to correct the time if there is an error.
Chapter 1 Introducing the Sensor Time Sources and the Sensor Verifying the Sensor is Synchronized with the NTP Server In the Cisco IPS, you cannot apply an incorrect NTP configuration, such as an invalid NTP key value or ID, to the sensor. If you try to apply an incorrect configuration, you receive an error message. To verify the NTP configuration, use the show statistics host command to gather sensor statistics.
Chapter 1 Introducing the Sensor Time Sources and the Sensor To ensure the integrity of the time stamp on the event records, you must clear the event archive of the older events by using the clear events command. Note You cannot remove individual events. For More Information For the procedure for clearing events, refer to Clearing Events from Event Store. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.
Chapter 1 Introducing the Sensor Time Sources and the Sensor Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.
CH A P T E R 2 Preparing the Appliance for Installation This chapter describes the steps to follow before installing new hardware or performing hardware upgrades, and includes the following sections: • Installation Preparation, page 2-1 • Safety Recommendations, page 2-2 • General Site Requirements, page 2-5 Installation Preparation To prepare for installing an appliance, follow these steps: Step 1 Review the safety precautions outlined in one of the following safety documents: • Regulatory Compli
Chapter 2 Preparing the Appliance for Installation Safety Recommendations For More Information • For ESD guidelines, see Electricity Safety Guidelines, page 2-2. • For the procedure for working in an ESD environment, see Working in an ESD Environment, page 2-4.
Chapter 2 Preparing the Appliance for Installation Safety Recommendations Follow these guidelines when working on equipment powered by electricity: • Before beginning procedures that require access to the interior of the chassis, locate the emergency power-off switch for the room in which you are working. Then, if an electrical accident occurs, you can act quickly to turn off the power. • Do not work alone if potentially hazardous conditions exist anywhere in your work space.
Chapter 2 Preparing the Appliance for Installation Safety Recommendations Working in an ESD Environment Work on ESD-sensitive parts only at an approved static-safe station on a grounded static dissipative work surface, for example, an ESD workbench or static dissipative mat. To remove and replace components in a sensor, follow these steps: Step 1 Remove all static-generating items from your work area. Step 2 Use a static dissipative work surface and wrist strap.
Chapter 2 Preparing the Appliance for Installation General Site Requirements General Site Requirements This section describes the requirements your site must meet for safe installation and operation of your IPS appliance. This section includes the following topics: • Site Environment, page 2-5 • Preventive Site Configuration, page 2-5 • Power Supply Considerations, page 2-6 • Configuring Equipment Racks, page 2-6 Site Environment Place the appliance on a desktop or mount it in a rack.
Chapter 2 Preparing the Appliance for Installation General Site Requirements Power Supply Considerations The IPS 4270-20 has an AC power supply. The IPS 4345, IPS 4360, IPS 4510, and IPS 4520 have either an AC or DC power supply. Follow these guidelines for power supplies: • Check the power at the site before installing the chassis to ensure that the power is free of spikes and noise. Install a power conditioner if necessary, to ensure proper voltages and power levels in the source voltage.
CH A P T E R 3 Installing the IPS 4240 and IPS 4255 Contents This chapter describes the IPS 4240 and IPS 4255, and contains the following sections: • Installation Notes and Caveats, page 3-1 • Product Overview, page 3-2 • Front and Back Panel Features, page 3-3 • Specifications, page 3-4 • Connecting the IPS 4240 to a Cisco 7200 Series Router, page 3-5 • Accessories, page 3-5 • Rack Mounting, page 3-6 • Installing the IPS 4240 and IPS 4255, page 3-7 • Installing the IPS 4240-DC, page 3-10
Chapter 3 Installing the IPS 4240 and IPS 4255 Product Overview Note The illustrations in this chapter show the Cisco IPS 4240 appliance sensor. The IPS 4240 and the IPS 4255 look identical with the same front and back panel features and indicators. Note In IPS 7.1, rx/tx flow control is disabled on the IPS 4240 and the IPS 4255. This is a change from IPS 7.0 where rx/tx flow control is enabled by default.
Chapter 3 Installing the IPS 4240 and IPS 4255 Front and Back Panel Features Front and Back Panel Features Note Although the graphics shows the IPS 4240, the IPS 4255 has the same front and back panel features and indicators. This section describes the IPS 4240 and IPS 4255 front and back panel features and indicators. Figure 3-1 shows the front view of the IPS 4240 and IPS 4255.
Chapter 3 Installing the IPS 4240 and IPS 4255 Specifications Figure 3-3 shows the four built-in Ethernet ports, which have two indicators per port. Figure 3-3 Ethernet Port Indicators Indicators MGMT USB1 LNK SPD 2 LNK SPD 1 LNK SPD 0 114417 USB2 LNK SPD 3 Table 3-2 lists the back panel indicators.
Chapter 3 Installing the IPS 4240 and IPS 4255 Connecting the IPS 4240 to a Cisco 7200 Series Router Table 3-3 IPS 4240 and IPS 4255 Specifications (continued) Maximum peak 190 W Maximum heat dissipation 648 BTU/hr, full power usage (65 W) Environment Temperature Operating +32°F to +104°F (+0°C to +40°C) Nonoperating -13°F to +158°F (-25°C to +70°C) Relative humidity Operating 5% to 95% (noncondensing) Nonoperating 5% to 95% (noncondensing) Altitude Operating 0 to 9843 ft (3000 m) Nonoperating
Chapter 3 Installing the IPS 4240 and IPS 4255 Rack Mounting The IPS 4240 and IPS 4255 accessories kit contains the following: • DB25 connector • DB9 connector • Rack mounting kit—screws, washers, and metal bracket • RJ45 console cable • Two 6-ft Ethernet cables Rack Mounting To rack mount the IPS 4240 and IPS 4255, follow these steps: Step 1 Attach the bracket to the appliance using the supplied screws. You can attach the brackets to the holes near the front of the appliance.
Chapter 3 Installing the IPS 4240 and IPS 4255 Installing the IPS 4240 and IPS 4255 Step 2 Use the supplied screws to attach the appliance to the equipment rack. Cisco PWR STAT US ASA 424 Intrusion 0 Detection Sensor 114017 FLASH Step 3 To remove the appliance from the rack, remove the screws that attach the appliance to the rack, and then remove the appliance.
Chapter 3 Installing the IPS 4240 and IPS 4255 Installing the IPS 4240 and IPS 4255 To install the IPS 4240 and IPS 4255 on the network, follow these steps: Step 1 Position the appliance on the network. Step 2 Attach the grounding lug to the side of the appliance. Cisco IPS 42 4 Intru 0 n Sens or 148406 se sion Pr ries eventio Note Use 8-32 screws to connect a copper standard barrel grounding lug to the holes. The appliance requires a lug where the distance between the center of each hole is 0.
Chapter 3 Installing the IPS 4240 and IPS 4255 Installing the IPS 4240 and IPS 4255 Step 6 Connect the RJ-45 connector to the console port and connect the other end to the DB-9 or DB-25 connector on your computer. CONSOLE FLASH FL A SH PO W ER ST AT U S AUX Computer serial port DB-9 or DB-25 Console port (RJ-45) Step 7 114418 RJ-45 to DB-9 or DB-25 serial cable (null-modem) Attach the network cables.
Chapter 3 Installing the IPS 4240 and IPS 4255 Installing the IPS 4240-DC For More Information • For more information on working with electrical power and in an ESD environment, see Safety Recommendations, page 2-2. • For the procedure for placing the appliance in a rack, see Rack Mounting, page 3-6. • For the instructions for setting up a terminal server, see Connecting an Appliance to a Terminal Server, page 1-22.
Chapter 3 Installing the IPS 4240 and IPS 4255 Installing the IPS 4240-DC To install the IPS 4240-DC, follow these steps: Step 1 Position the IPS 4240-DC on the network. Step 2 Attach the grounding lug to the side of the appliance. Cisco IPS 42 4 Intru 0 n Sens or 148406 se sion Pr ries eventio Note Use 8-32 screws to connect a copper standard barrel grounding lug to the holes. The appliance requires a lug where the distance between the center of each hole is 0.56 inches.
Chapter 3 Installing the IPS 4240 and IPS 4255 Installing the IPS 4240-DC Insert the ground wire into the connector for the earth ground and tighten the screw on the connector. Using the same method as for the ground wire, connect the negative wire and then the positive wire.
Chapter 3 Installing the IPS 4240 and IPS 4255 Installing the IPS 4240-DC For More Information • DC power guidelines are listed in Regulatory Compliance and Safety Information for the Cisco Intrusion Prevention System 4200 Series Appliance Sensor. • For more information on working with electrical power and in an ESD environment, see Safety Recommendations, page 2-2. • For the procedure for placing the appliance in a rack, see Rack Mounting, page 3-6.
Chapter 3 Installing the IPS 4240 and IPS 4255 Installing the IPS 4240-DC Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.
CH A P T E R 4 Installing the IPS 4260 Contents This chapter describes IPS 4260, and contains the following sections: • Installation Notes and Caveats, page 4-1 • Product Overview, page 4-2 • Supported Interface Cards, page 4-3 • Hardware Bypass, page 4-4 • Front and Back Panel Features, page 4-7 • Specifications, page 4-9 • Accessories, page 4-10 • Rack Mounting, page 4-10 • Installing the IPS 4260, page 4-16 • Removing and Replacing the Chassis Cover, page 4-19 • Installing and Remo
Chapter 4 Installing the IPS 4260 Product Overview Note In IPS 7.1, rx/tx flow control is disabled on the IPS 4260. This is a change from IPS 7.0 where rx/tx flow control is enabled by default. Caution The BIOS on IPS 4260 is specific to IPS 4260 and must only be upgraded under instructions from Cisco with BIOS files obtained from the Cisco website. Installing a non-Cisco or third-party BIOS on IPS 4260 voids the warranty.
Chapter 4 Installing the IPS 4260 Supported Interface Cards • For more information on installing and removing the power supply, see Installing and Removing the Power Supply, page 4-23. Supported Interface Cards The IPS 4260 supports three interface cards: the 4GE bypass interface card, the 2SX interface card, and the 10GE interface card. 4GE Bypass Interface Card The 4GE bypass interface card (part numbers IPS-4GE-BP-INT and IPS-4GE-BP-INT=) provides four 10/100/1000BASE-T (4GE) monitoring interfaces.
Chapter 4 Installing the IPS 4260 Hardware Bypass Figure 4-2 shows the 2SX interface card. 2SX Interface Card 190474 Figure 4-2 10GE Interface Card The 10GE interface card (part numbers IPS-2X10GE-SR-INT and IPS-2X10GE-SR-INT=) provides two 10000 Base-SX (fiber) interfaces. The IPS 4260 supports one 10GE interface card for a total of two 10GE fiber interfaces. The card ports require a multi-mode fiber cable with an LC connector to connect to the SX interface of the IPS 4260.
Chapter 4 Installing the IPS 4260 Hardware Bypass 4GE Bypass Interface Card The IPS 4260 supports the 4-port GigabitEthernet card (part number IPS-4GE-BP-INT=) with hardware bypass. This 4GE bypass interface card supports hardware bypass only between ports 0 and 1 and between ports 2 and 3. Note To disable hardware bypass, pair the interfaces in any other combination, for example 2/0<->2/2 and 2/1<->2/3. Hardware bypass complements the existing software bypass feature in Cisco IPS.
Chapter 4 Installing the IPS 4260 Hardware Bypass The following configuration restrictions apply to hardware bypass: • The 4-port bypass card is only supported on the IPS 4260. • Fail-open hardware bypass only works on inline interfaces (interface pairs), not on inline VLAN pairs. • Fail-open hardware bypass is available on an inline interface if all of the following conditions are met: – Both of the physical interfaces support hardware bypass.
Chapter 4 Installing the IPS 4260 Front and Back Panel Features Front and Back Panel Features This section describes the IPS 4260 front and back panel features and indicators. Figure 4-4 shows the front view of IPS 4260. Figure 4-4 IPS 4260 Front Panel Features RESET Power ID POWER Status NIC Flash Cisco IPS 4260 series RESET Intrusion Prevention Sensor NIC POWER FLASH STATUS 153095 ID ID ID • There are three switches on the front panel of IPS 4260: • Power—Toggles the system power.
Chapter 4 Installing the IPS 4260 Front and Back Panel Features Figure 4-5 shows the back view of the IPS 4260.
Chapter 4 Installing the IPS 4260 Specifications Table 4-3 lists the power supply indicator. Table 4-3 Power Supply Indicators Color Description Off No AC power to all power supplies. Green solid Output on and ok. Green blinking AC present, only 5Vsb on (power supply off). Amber No AC power to this power supply (for 1+1 configuration) or power supply critical event causing a shutdown: failure, fuse blown (1+1 only), OCP 12 V, OVP 12 V, or fan failed.
Chapter 4 Installing the IPS 4260 Accessories Table 4-4 IPS 4260 Specifications (continued) Shock Operating Half-sine 2 G, 11 ms pulse, 100 pulses Nonoperating 25 G, 170 inches/sec delta V Vibration 2.2 Grms, 10 minutes per axis on all three axes Accessories Warning IMPORTANT SAFETY INSTRUCTIONS This warning symbol means danger. You are in a situation that could cause bodily injury.
Chapter 4 Installing the IPS 4260 Rack Mounting Installing the IPS 4260 in a 4-Post Rack To rack mount the IPS 4260 in a 4-post rack, follow these steps: Step 1 Attach each inner rail to each side of the chassis with three 8-32x1/4” SEMS screws. RESET ID NIC Cisco POWER FLASH STATUS IPS 42 60 ser Intrusion ies Preventi on Sen sor 153314 ID Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.
Chapter 4 Installing the IPS 4260 Rack Mounting Step 2 Attach the front-tab mounting bracket to the chassis with two 8-32x1/4’ SEMS screws. You can flip the bracket to push the system forward in the rack. RESET ID NIC Cisco POWER FLASH STATUS IPS 42 60 ser Intrusion ies Preventi on Sen sor 153315 ID Using the four inner studs, install the mounting brackets to the outer rail with four 8-32 KEPS nuts. Insert four thread covers over the four outer studs on each side.
Chapter 4 Installing the IPS 4260 Rack Mounting Install the two outer rail subassemblies in the rack using eight 10-32x1/2” SEMS screws. You can use four bar nuts if necessary. Adjust the mounting brackets based on rack depth. Step 5 Slide the IPS 4260 into the rack making sure the inner rail is aligned with the outer rail.
Chapter 4 Installing the IPS 4260 Rack Mounting Installing the IPS 4260 in a 2-Post Rack To rack mount the IPS 4260 in a 2-post rack, follow these steps: Step 1 Attach the inner rail to each side of the chassis with three 8-32x1/4” SEMS screws. RESET ID NIC Cisco POWER FLASH STATUS IPS 42 60 ser Intrusion ies Preventi on Sen sor 153320 ID Using the four inner studs, install the mounting brackets to the outer rail with four 8-32 KEPS nuts.
Chapter 4 Installing the IPS 4260 Rack Mounting Install the two outer rail subassemblies in the rack using twelve 10-32x1/2” SEMS screws or whatever rack hardware is necessary. Adjust the mounting brackets based on the rack-channel depth. Step 4 Slide the IPS 4260 into the rack making sure the inner rail is aligned with the outer rail.
Chapter 4 Installing the IPS 4260 Installing the IPS 4260 Step 5 Install four 8-32x7/16” SEMS screws through the clearance slots in the side of each outer rail assembly into the inner rail. RESET ID NIC Cisco POWER FLASH STATUS IPS 426 0 Intrusion series Preventio n Sens or 153324 ID Installing the IPS 4260 Warning Only trained and qualified personnel should be allowed to install, replace, or service this equipment.
Chapter 4 Installing the IPS 4260 Installing the IPS 4260 To install the IPS 4260 on the network, follow these steps: E SPD LNK GE 0/1 SPD Position the IPS 4260 on the network. Step 2 Attach the grounding lugs to the back of the IPS 4260. LNK MGMT ! ! Note 153309 CONSOL Step 1 Use 8-32 locknuts to connect a copper standard barrel grounding lug to the holes. The appliance requires a lug where the distance between the center of each hole is 0.56 inches.
Chapter 4 Installing the IPS 4260 Installing the IPS 4260 Step 6 Connect the RJ-45 connector to the console port and connect the other end to the DB-9 or DB-25 connector on your computer. CONSOLE MGMT Console port (RJ-45) Computer serial port DB-9 or DB-25 Step 7 153309 RJ-45 to DB-9 or DB-25 serial cable (null-modem) Attach the network cables.
Chapter 4 Installing the IPS 4260 Removing and Replacing the Chassis Cover Step 9 Initialize the IPS 4260. Step 10 Upgrade the IPS 4260 with the most recent Cisco IPS software. You are now ready to configure intrusion prevention on the IPS 4260. For More Information • For more information on working with electrical power and in an ESD environment, see Safety Recommendations, page 2-2. • For the procedure for installing the IPS 4260 in a rack, see Rack Mounting, page 4-10.
Chapter 4 Installing the IPS 4260 Removing and Replacing the Chassis Cover Caution Follow proper safety procedures when removing and replacing the chassis cover by reading the safety warnings in Regulatory Compliance and Safety Information for the Cisco Intrusion Prevention System 4200 Series Appliance Sensor. Note Removing the appliance chassis cover does not affect your Cisco warranty. Upgrading the IPS 4260 does not require any special tools and does not create any radio frequency leaks.
Chapter 4 Installing the IPS 4260 Installing and Removing Interface Cards Step 11 Power on the IPS 4260. For More Information • For the IDM procedure for resetting the IPS 4260, refer to Rebooting the Sensor; for the IME procedure for resetting the IPS 4260, refer to Rebooting the Sensor. • For the procedure for removing the IPS 4260 from a rack, see Rack Mounting, page 4-10. • For more information on ESD-controlled environments, see Safety Recommendations, page 2-2.
Chapter 4 Installing the IPS 4260 Installing and Removing Interface Cards Remove the card carrier by pulling up on the two blue release tabs. Use equal pressure and lift the card carrier out of the chassis. 153312 Step 8 ! ! With a screw driver, remove the screw from the desired slot cover. Step 10 Remove the slot cover by pressing on it from inside the chassis. If the card is full length, use a screw driver to remove the blue thumb screw from the card support at the back of the card carrier.
Chapter 4 Installing the IPS 4260 Installing and Removing the Power Supply For More Information • For the procedure for attaching power cords and cables to the IPS 4260, see Installing the IPS 4260, page 4-16. • For an illustration of the expansion card slots, see Figure 4-6 on page 4-8. • For an illustration of the supported PCI cards, see Supported Interface Cards, page 4-3.
Chapter 4 Installing the IPS 4260 Installing and Removing the Power Supply Step 5 Squeeze the tabs to remove the filler plate. ! Step 6 Install the power supply. ! ! Step 7 To remove the power supply, push down the green tab and pull out the power supply. ! ! Step 8 After installing or removing the power supply, replace the power cord and other cables. Step 9 Power on the IPS 4260. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.
Chapter 4 Installing the IPS 4260 Installing and Removing the Power Supply For More Information For the IDM procedure for resetting the IPS 4260, refer to Rebooting the Sensor; for the IME procedure, refer to Rebooting the Sensor. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.
Chapter 4 Installing the IPS 4260 Installing and Removing the Power Supply Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.
CH A P T E R 5 Installing the IPS 4270-20 Contents This chapter describes the IPS 4270-20, and includes the following sections: • Installation Notes and Caveats, page 5-1 • Product Overview, page 5-2 • Supported Interface Cards, page 5-4 • Hardware Bypass, page 5-5 • Front and Back Panel Features, page 5-8 • Diagnostic Panel, page 5-14 • Specifications, page 5-15 • Accessories, page 5-16 • Installing the Rail System Kit, page 5-16 • Installing the IPS 4270-20, page 5-35 • Removing and
Chapter 5 Installing the IPS 4270-20 Product Overview Warning This product relies on the building’s installation for short-circuit (overcurrent) protection. Ensure that the protective device is rated not greater than 120 VAC, 20 A U.S. (240 VAC, 16-20 A International). Statement 1005 Warning This equipment must be grounded. Never defeat the ground conductor or operate the equipment in the absence of a suitably installed ground conductor.
Chapter 5 Installing the IPS 4270-20 Product Overview Media-rich environments are characterized by content, such as that seen on popular websites with video and file transfer. Transactional environments are characterized by connections, such as E-commerce, instant messaging, and voice. Figure 5-1 demonstrates the spectrum of media-rich and transactional environments. Figure 5-1 Media-rich and Transactional Environments Gaming Commerce Voice Collaborative Workspaces WWW Data Replication Web 2.
Chapter 5 Installing the IPS 4270-20 Supported Interface Cards • For more information on the 4GE bypass interface card, see Hardware Bypass, page 5-5. • For more information about the power supplies, see Installing and Removing the Power Supply, page 5-45. Supported Interface Cards The IPS 4270-20 supports three interface cards: the 4GE bypass interface card, the 2SX interface card, and the 10GE interface card.
Chapter 5 Installing the IPS 4270-20 Hardware Bypass Figure 5-3 shows the 2SX interface card. 2SX Interface Card 190474 Figure 5-3 10GE Interface Card The 10GE interface card (part numbers IPS-2X10GE-SR-INT and IPS-2X10GE-SR-INT=) provides two 10000 Base-SX (fiber) interfaces. The IPS 4270-20 supports up to two 10GE interface cards for a total of four 10GE fiber interfaces. The card ports require a multi-mode fiber cable with an LC connector to connect to the SX interface of the IPS 4270-20.
Chapter 5 Installing the IPS 4270-20 Hardware Bypass 4GE Bypass Interface Card The IPS 4270-20 supports the 4-port GigabitEthernet card (part number IPS-4GE-BP-INT=) with hardware bypass. This 4GE bypass interface card supports hardware bypass only between ports 0 and 1 and between ports 2 and 3. Note To disable hardware bypass, pair the interfaces in any other combination, for example 2/0<->2/2 and 2/1<->2/3. Hardware bypass complements the existing software bypass feature in Cisco IPS.
Chapter 5 Installing the IPS 4270-20 Hardware Bypass The following configuration restrictions apply to hardware bypass: • The 4-port bypass card is only supported on the IPS 4270-20. • Fail-open hardware bypass only works on inline interfaces (interface pairs), not on inline VLAN pairs. • Fail-open hardware bypass is available on an inline interface if all of the following conditions are met: – Both of the physical interfaces support hardware bypass.
Chapter 5 Installing the IPS 4270-20 Front and Back Panel Features Front and Back Panel Features This section describes the IPS 4270-20 front and back panel features, indicators, and internal components. Figure 5-5 shows the front view of the IPS 4270-20. Figure 5-5 IPS 4270-20 Front View Switches/Indicators 1 2 3 4 5 6 7 8 Cisco IPS 4270 SERIES Intrusion Prevention Sensor 250082 US AT EM ST T 0 T 1 ST R M M UID SY PW MG MG Figure 5-6 shows the front panel switches and indicators.
Chapter 5 Installing the IPS 4270-20 Front and Back Panel Features Table 5-1 describes the front panel switches and indicators on the IPS 4270-20.
Chapter 5 Installing the IPS 4270-20 Front and Back Panel Features Figure 5-7 shows the back view of the IPS 4270-20.
Chapter 5 Installing the IPS 4270-20 Front and Back Panel Features Figure 5-8 shows the built-in Ethernet port, which has two indicators per port, and the power supply indicators. Figure 5-8 Ethernet Port Indicators Activity Link indicator indicator PCI-E x4 4 3 PS1 PCI-X 100 MHz 1 2 Power supply indicators Reserved for Future Use CONSOLE Activity indicator Link indicator 250085 MGMT 0/0 Table 5-2 describes the Ethernet port indicators.
Chapter 5 Installing the IPS 4270-20 Front and Back Panel Features Table 5-3 Power Supply Indicators (continued) Fail Indicator 1 Amber Power Indicator 2 Green Off Flashing Off On Description • AC power present • Standby mode Normal Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.
Chapter 5 Installing the IPS 4270-20 Front and Back Panel Features Figure 5-9 shows the internal components. Figure 5-9 IPS 4270-20 Internal Components Power supply Sensing interface expansion slots Cooling fans Power supply Cooling fans 250249 Diagnostic panel Cooling fans Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.
Chapter 5 Installing the IPS 4270-20 Diagnostic Panel Diagnostic Panel The front panel health indicators only indicate the current hardware status. The Diagnostic Panel indicators identify components experiencing an error, event, or failure. All indicators are off unless one of the component fails. Note When you remove the chassis cover to view the Diagnostic Panel, leave the IPS 4270-20 powered on. Powering off the IPS 4270-20 clears the Diagnostic Panel indicators.
Chapter 5 Installing the IPS 4270-20 Specifications For More Information • For the location of the Diagnostic Panel in the IPS 4270-20 chassis, see Figure 5-9 on page 5-13. • For information on how to access the Diagnostic Panel, see Accessing the Diagnostic Panel, page 5-42. Specifications Table 5-5 lists the specifications for the IPS 4270-20. Table 5-5 IPS 4270-20 Specifications Dimensions and Weight Height 6.94 in. (17.6 cm) Width 19.0 in. (46.3 cm) Depth 26.5 in. (67.
Chapter 5 Installing the IPS 4270-20 Accessories Accessories The IPS 4270-20 accessories kit contains the following: • DB-9 connector • DB-9/RJ-45 console cable • Two Ethernet RJ-45 cables • Regulatory Compliance and Safety Information for the Cisco Intrusion Detection and Prevention System 4200 Series Appliance Sensor • Documentation Roadmap for Cisco Intrusion Prevention System Installing the Rail System Kit You can install the IPS 4270-20 in a 4-post rack.
Chapter 5 Installing the IPS 4270-20 Installing the Rail System Kit No tools are required for the round- and square-hole racks. You may need screws that fit the threaded-hole rack and a driver for those screws.You need a standard screwdriver to remove the roundand square-hole studs from the slide assemblies when you install the security appliance in a threaded-whole rack. This rail system supports a minimum rack depth of 24 in. (60.96 cm) and a maximum rack depth of 36.5 in. (92.71 cm).
Chapter 5 Installing the IPS 4270-20 Installing the Rail System Kit Installing the IPS 4270-20 in the Rack To prevent bodily injury when mounting or servicing this unit in a rack, you must take special precautions to ensure that the system remains stable. The following guidelines are provided to ensure your safety: Warning • This unit should be mounted at the bottom of the rack if it is the only unit in the rack.
Chapter 5 Installing the IPS 4270-20 Installing the Rail System Kit Step 3 To remove the chassis side rail, lift the latch, and slide the rail forward. 1 2 3 4 5 6 7 8 Cisco IPS 4270 Intrusion SERIES Preventio n Sensor 250221 US EM STAT 0 1 UID SYST R MT MT PW MG MG 2 1 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.
Chapter 5 Installing the IPS 4270-20 Installing the Rail System Kit Step 4 If you are installing the IPS 4270-20 in a shallow rack, one that is less than 28.5 in. (72.39 cm), remove the screw from the inside of the slide assembly before continuing with Step 5. 250207 < 28.5” Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.
Chapter 5 Installing the IPS 4270-20 Installing the Rail System Kit Step 5 Attach the slide assemblies to the rack. For round- and square-hole racks: a. Line up the studs on the slide assembly with the holes on the inside of the rack and snap in to place. b. Adjust the slide assembly lengthwise to fit the rack. The spring latch locks the slide assembly into position. 2 3 1 250208 1 c. Repeat for each slide assembly. Make sure the slide assemblies line up with each other in the rack. d.
Chapter 5 Installing the IPS 4270-20 Installing the Rail System Kit For threaded-hole racks: Remove the eight round- or square-hole studs on each slide assembly using a standard screwdriver. Note You may need a pair of pliers to hold the retaining nut. 2 3 3 2 1 250209 a. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.
Chapter 5 Installing the IPS 4270-20 Installing the Rail System Kit b. Line up the bracket on the slide assembly with the rack holes, install two screws (top and bottom) on each end of the slide assembly. 250210 1 c. Repeat for each slide assembly. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.
Chapter 5 Installing the IPS 4270-20 Installing the Rail System Kit Extend the slide assemblies out of the rack. 250211 Step 6 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.
Chapter 5 Installing the IPS 4270-20 Installing the Rail System Kit Step 7 1 2 3 4 5 6 7 Align the chassis side rails on the IPS 4270-20 with the slide assembly on both sides of the rack, release the blue slide tab (by either pulling the tab forward or pushing the tab back), and carefully push the IPS 4270-20 in to place.
Chapter 5 Installing the IPS 4270-20 Installing the Rail System Kit Step 9 Install the electrical cables at the back of the IPS 4270-20.
Chapter 5 Installing the IPS 4270-20 Installing the Rail System Kit To extend the IPS 4270-20 from the rack, follow these steps: Step 1 Pull the quick-release levers on each side of the front bezel of the IPS 4270-20 to release it from the rack and extend it on the rack rails until the rail-release latches engage. Note The release latches lock in to place when the rails are fully extended.
Chapter 5 Installing the IPS 4270-20 Installing the Rail System Kit To completely remove the IPS 4270-20 from the rack, disconnect the cables from the back of the IPS 4270-20, push the release tab in the middle of the slide assembly forward, and pull the IPS 4270-20 from the rack.
Chapter 5 Installing the IPS 4270-20 Installing the Rail System Kit To install the cable management arm, follow these steps: Step 1 Align the slide bracket on the cable management arm with the stud on the back of the IPS 4270-20 and align the two studs at the back of the chassis side rail, then slide down and lock in to place.
Chapter 5 Installing the IPS 4270-20 Installing the Rail System Kit Step 2 Caution Attach the cable trough to the back of the rack by pushing the lower metal tab on the cable management arm in to the slide assembly, then lifting the spring pin to lock it in to place. Make sure the metal tab is on the outside of the upper part of the cable management arm.
Chapter 5 Installing the IPS 4270-20 Installing the Rail System Kit Step 3 Route the cables through the cable trough and secure the cables with the Velcro straps and black tie wraps. Note After you route the cables through the cable management arm, make sure the cables are not pulled tight when the IPS 4270-20 is fully extended.
Chapter 5 Installing the IPS 4270-20 Installing the Rail System Kit Step 4 Attach the cable management arm stop bracket to the ride side of the back of the rack by inserting the stop bracket into the cable management arm bracket. PS2 PCI-E x4 9 8 PCI-E x8 7 PCI-E x4 PCI-E x8 6 5 4 PCI-E x4 3 PCI-X 100 MHz 2 1 PS1 UID CONSOLE Reserved for Future Use 250217 MGMT10/0 Converting the Cable Management Arm Note The cable management arm is designed for ambidextrous use.
Chapter 5 Installing the IPS 4270-20 Installing the Rail System Kit To convert the cable management arm swing, follow these steps: Pull up the spring pin and slide the bracket off the cable management arm. 250218 Step 1 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.
Chapter 5 Installing the IPS 4270-20 Installing the Rail System Kit Remove the bottom sliding bracket and flip it over to the top of the bracket aligning the studs. 250219 Step 2 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.
Chapter 5 Installing the IPS 4270-20 Installing the IPS 4270-20 Step 3 On the other side of the sliding bracket, align the spring pin with the studs and key holes, and slide until the pin snaps in to place. The sliding bracket only fits one way because the hole for the spring pin is offset.
Chapter 5 Installing the IPS 4270-20 Installing the IPS 4270-20 with standard practices for preventing accidents. Use the statement number provided at the end of each warning to locate its translation in the translated safety warnings that accompanied this device. Statement 1071 SAVE THESE INSTRUCTIONS Warning Only trained and qualified personnel should be allowed to install, replace, or service this equipment.
Chapter 5 Installing the IPS 4270-20 Installing the IPS 4270-20 Step 4 Connect the RJ-45 to DB-9 adapter connector to the console port and connect the other end to the DB-9 connector on your computer. PS1 RJ-45 to DB-9 adapter CONSOLE RJ-45 to DB-9 serial cable (null-modem) Reserved for Future Use MGMT 0/0 250084 1 Console port (DB-9) Computer serial port DB-9 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.
Chapter 5 Installing the IPS 4270-20 Installing the IPS 4270-20 Attach the network cables. Power connector PS2 Power connector Sensing interfaces PCI-E x4 9 PCI-E x8 8 7 PCI-E x4 PCI-E x8 6 5 PCI-E x4 4 3 PS1 PCI-X 100 MHz 1 2 CONSOLE UID Reserved Reserved Console port Reserved for Future Use MGMT10/0 250109 Step 5 Management0/0 The IPS 4270-20 has the following interfaces: Caution • Management 0/0 (MGMT0/0) is the command and control port.
Chapter 5 Installing the IPS 4270-20 Removing and Replacing the Chassis Cover For More Information • For more information on working with electrical power and in an ESD environment, see Safety Recommendations, page 2-2. • For more information on the best place to position your sensor on the network, see Your Network Topology, page 1-3. • For the procedure for installing the IPS 4270-20 in a rack, see Installing the IPS 4270-20 in the Rack, page 5-18.
Chapter 5 Installing the IPS 4270-20 Removing and Replacing the Chassis Cover Warning This unit might have more than one power supply connection. All connections must be removed to de-energize the unit. Statement 1028 Note Removing the appliance chassis cover does not affect your Cisco warranty. Upgrading the IPS 4270-20 does not require any special tools and does not create any radio frequency leaks. Caution Do not operate the IPS 4270-20 for long periods with the chassis cover open or removed.
Chapter 5 Installing the IPS 4270-20 Removing and Replacing the Chassis Cover Step 8 Lift up the cover latch on the top of the chassis. 1 2 3 4 5 6 7 8 250123 Cisco IPS 4270 Intrusio SERIES n Preventi on Sensor S TU M TE STA 0 1 UID SYS WR MT MT P MG MG Step 9 Slide the chassis cover back and up to remove it.
Chapter 5 Installing the IPS 4270-20 Accessing the Diagnostic Panel Note Make sure the chassis cover is securely locked in to place before powering up the IPS 4270-20. Step 11 Reattach the power cables to the IPS 4270-20. Step 12 Reinstall the IPS 4270-20 in a rack, on a desktop, or on a table, or extend it back in to the rack. Step 13 Power on the IPS 4270-20.
Chapter 5 Installing the IPS 4270-20 Installing and Removing Interface Cards Installing and Removing Interface Cards Caution Follow proper safety procedures when performing these steps by reading the safety warnings in Regulatory Compliance and Safety Information for the Cisco Intrusion Prevention System 4200 Series Appliance Sensor. The IPS 4270-20 has nine expansion card slots. Slots 1 and 2 are PCI-X slots and are reserved for future use. Slots 3 through 9 are PCI-Express slots.
Chapter 5 Installing the IPS 4270-20 Installing and Removing Interface Cards Step 8 To unlock the expansion card slot, push down on the center part of the blue tab and open the latch. PS2 8 PCI-E x8 7 PCI-E x4 PCI-E x8 6 5 4 PCI-E x4 3 P 250204 PCI-E x4 9 UID Step 9 To uninstall a card, lift the card out of the socket. To install a card, position the card so that its connector lines up over the socket on the mother board and push the card down in to the socket.
Chapter 5 Installing the IPS 4270-20 Installing and Removing the Power Supply For More Information • For an illustration of the expansion card slots, see Figure 5-7 on page 5-10. • For an illustration of the supported interface cards, see Supported Interface Cards, page 5-4. • For the IDM procedure for powering down the IPS 4270-20, refer to Rebooting the Sensor; for the IME procedure for powering down the IPS 4270-20, refer to Rebooting the Sensor.
Chapter 5 Installing the IPS 4270-20 Installing and Removing the Power Supply Step 5 Use the T-15 Torx screwdriver that shipped with the IPS 4270-20 to remove the shipping screw. The T-15 Torx screwdriver is located to the right of power supply. PCI-E x4 4 3 PCI-X 10 0 MHz 2 1 CONSO LE Reserve d for Future Use MGMT 0/ 0 250118 PS1 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.
Chapter 5 Installing the IPS 4270-20 Installing and Removing the Power Supply Remove the power supply by pulling it away from the chassis. 250219 Step 6 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.
Chapter 5 Installing the IPS 4270-20 Installing and Removing the Power Supply Step 7 Install the power supply. Make sure the handle is open and slide the power supply into the bay. PCI-E x4 4 3 PCI-X 10 0 MHz 2 1 CONSO LE Reserve d for Future Use MGMT 0/ 0 250119 PS1 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.
Chapter 5 Installing the IPS 4270-20 Installing and Removing the Power Supply Step 8 Lock the power supply handle. PCI-E x4 4 3 PCI-X 10 0 MHz 2 1 CONSO LE Reserve d for Future Use MGMT 0/ 0 250164 PS1 Step 9 Reconnect the power cables. Be sure that the power supply indicator is green and the front panel health indicator is green. Note Make sure the two power supplies are powered by separate AC power sources so that the IPS 4270-20 is always available. Step 10 Power on the IPS 4270-20.
Chapter 5 Installing the IPS 4270-20 Installing and Removing Fans Installing and Removing Fans There are six fans in the IPS 4270-20. The IPS 4270-20 supports redundant hot-pluggable fans in a 5 + 1 configuration to provide proper airflow. Figure 5-12 shows the fan, its connector, and its indicator.
Chapter 5 Installing the IPS 4270-20 Installing and Removing Fans Step 4 Remove the failed fan by grasping the red plastic handle and pulling up. Note Remove and replace one fan at a time. If the IPS 4270-20 detects two failed fans, it shuts down to avoid thermal damage.
Chapter 5 Installing the IPS 4270-20 Troubleshooting Loose Connections Troubleshooting Loose Connections Perform the following actions to troubleshoot loose connections on sensors: • Make sure all power cords are securely connected. • Make sure all cables are properly aligned and securely connected for all external and internal components. • Remove and check all data and power cables for damage. Make sure no cables have bent pins or damaged connectors. • Make sure each device is properly seated.
CH A P T E R 6 Installing the IPS 4345 and IPS 4360 Contents This chapter describes the Cisco IPS 4345 and the IPS 4360, and includes the following sections: • Installation Notes and Caveats, page 6-1 • Product Overview, page 6-2 • Specifications, page 6-2 • Accessories, page 6-4 • Front and Back Panel Features, page 6-5 • Rack Mount Installation, page 6-9 • Installing the Appliance on the Network, page 6-12 • Removing and Installing the Power Supply, page 6-15 Installation Notes and Cavea
Chapter 6 Installing the IPS 4345 and IPS 4360 Product Overview Product Overview The IPS 4345 delivers 500 Megabits of intrusion prevention performance. You can use the IPS 4345 to protect both half Gigabit subnets and aggregated traffic traversing switches from multiple subnets. The IPS 4345 is a purpose-built device that has support for both copper and fiber NIC environments thus providing flexibility of deployment in any environment. It replaces the IPS 4240 and the IPS 4255.
Chapter 6 Installing the IPS 4345 and IPS 4360 Specifications Table 6-1 IPS 4345 and IPS 4360 Specifications (continued) Operating power Steady state/maximum 372W 382W Total heat dissipation 730 BTU/hr 730 BTU/hr Output hold-up time 20mS 12mS Inrush current 40A 40A Temperature Operating: 23°F to 49°F (-5°C to 45°C) Nonoperating: -13°F to -94°F (-25°C to -70°C) Operating: 23°F to 49°F (-5°C to 45°C) Nonoperating: -13°F to -94°F (25°C to -70°C) Airflow Front to back Front to back Relativ
Chapter 6 Installing the IPS 4345 and IPS 4360 Accessories Accessories Figure 6-1 and Figure 6-2 display the contents of the sensor packing box, which contains the items you need to install the sensor.
Chapter 6 Installing the IPS 4345 and IPS 4360 Front and Back Panel Features Figure 6-2 IPS 4360 Packing Box Contents 2 1 4 3 6 Documentation Roadmap for the Cisco Intrusion Prevention System 334562 5 1 Sensor chassis (one power supply shown) 2 Yellow Ethernet cable 3 Power cord 4 Blue console cable PC terminal adapter 5 Power cord retainer 6 Documentation Not shown: Slide rail kit Front and Back Panel Features This section describes the IPS 4345 and IPS 4360 front and back panel fea
Chapter 6 Installing the IPS 4345 and IPS 4360 Front and Back Panel Features Figure 6-4 shows the indicators for the IPS 4345. These indicators are also found on the back panel of the IPS 4345. IPS 4345 Indicators 331624 Figure 6-4 Figure 6-5 shows the indicators for the IPS 4360. These indicators are also found on the back panel of the IPS 4360. IPS 4360 Indicators 331623 Figure 6-5 Table 6-2 describes the indicators on the IPS 4345 and IPS 4360.
Chapter 6 Installing the IPS 4345 and IPS 4360 Front and Back Panel Features Table 6-2 IPS 4345 and IPS 4360 Indicators (continued) Indicator Description PS1 Indicates the state of the power supply module installed on the right when facing the back panel: PS0 • Off—No power supply module present or no AC input. • Green—Power supply module present, on, and good. • Amber—Power or fan module off or failed.
Chapter 6 Installing the IPS 4345 and IPS 4360 Front and Back Panel Features Figure 6-7 shows the back panel features of the IPS 4360. Figure 6-7 IPS 4360 Back Panel Features 2 3 7 6 4 PO W E AL R AR M BO O AC T TI VE VP N H D 0 8 1 Reserved for future use 1 3 Management port 5 Power supply modules 7 5 331817 1 Serial console port 3 2 Chassis cover removal screw 4 Network interface ports2 6 USB ports 8 Indicators 1.
Chapter 6 Installing the IPS 4345 and IPS 4360 Rack Mount Installation Rack Mount Installation This section describes how to rack mount the 4300 series chassis, and contains the following topics: • Rack-Mounting Guidelines, page 6-9 • Installing the IPS 4345 in a Rack, page 6-10 • Mounting the IPS 4345 and IPS 4360 in a Rack with the Slide Rail Mounting System, page 6-11 Rack-Mounting Guidelines Warning Warning To prevent bodily injury when mounting or servicing this unit in a rack, you must take s
Chapter 6 Installing the IPS 4345 and IPS 4360 Rack Mount Installation Installing the IPS 4345 in a Rack The IPS 4345 ships with the rack mount brackets installed on the front of the chassis. Use these brackets to mount the chassis to the front of the rack. If you want to mount the chassis on the back of the rack, you can move the brackets from the front to the back of the chassis.
Chapter 6 Installing the IPS 4345 and IPS 4360 Rack Mount Installation Step 4 Attach the chassis to the rack using the supplied screws (Figure 6-10). Rack-Mounting the Chassis 334639 Figure 6-10 Step 5 To remove the chassis from the rack, remove the screws that attach the chassis to the rack, and then remove the chassis.
Chapter 6 Installing the IPS 4345 and IPS 4360 Installing the Appliance on the Network Installing the Appliance on the Network Warning IMPORTANT SAFETY INSTRUCTIONS This warning symbol means danger. You are in a situation that could cause bodily injury. Before you work on any equipment, be aware of the hazards involved with electrical circuitry and be familiar with standard practices for preventing accidents.
Chapter 6 Installing the IPS 4345 and IPS 4360 Installing the Appliance on the Network Step 4 Connect to the management port. Connect one RJ-45 connector to the management port and connect the other end to the management port on your computer or network device. The appliance has a dedicated management interface referred to as Management 0/0, which is a GigabitEthernet interface with a dedicated port used only for traffic management.
Chapter 6 Installing the IPS 4345 and IPS 4360 Installing the Appliance on the Network Step 5 Connect to the console port. The console cable has a DB-9 connector on one end for the serial port on your computer, and the other end is an RJ-45 connector. Connect the RJ-45 connector to the console port on the appliance, and connect the other end of the cable, the DB-9 connector, to the console port on your computer.
Chapter 6 Installing the IPS 4345 and IPS 4360 Removing and Installing the Power Supply Step 8 Power on the appliance. Step 9 Initialize the appliance. Step 10 Install the most recent Cisco IPS software. You are now ready to configure intrusion prevention on the appliance. For More Information • For more information about ESD, see Preventing Electrostatic Discharge Damage, page 2-3.
Chapter 6 Installing the IPS 4345 and IPS 4360 Removing and Installing the Power Supply The power supplies each provide 400 W of output power and are used in a 1 + 1 redundant configuration. There is no input switch on the faceplate of the power supplies. The power supply is switched from Standby to ON by way of a system chassis STANDBY/ON switch. The power supply slot numbers are on the back of the chassis to the left side of each power supply.
Chapter 6 Installing the IPS 4345 and IPS 4360 Removing and Installing the Power Supply Table 6-4 describes the power supply indicator. The function of the indicator is the same for both the AC and DC power supplies. Table 6-4 AC and DC Power Supply Indicator Indicator Color and State Description Solid green Power output is on and within the normal operating range.
Chapter 6 Installing the IPS 4345 and IPS 4360 Removing and Installing the Power Supply To remove and install the AC power supply, follow these steps: Step 1 If you are adding an additional power supply, from the back of the appliance, push the lever on the slot cover to the left to release it, grasp the handle of the slot cover and pull it away from the chassis (Figure 6-12). Save the slot cover for future use. Continue with Step 3.
Chapter 6 Installing the IPS 4345 and IPS 4360 Removing and Installing the Power Supply Step 3 Install the new power supply by aligning it with the power supply bay and pushing it into place until it is seated while supporting it from beneath with the other hand (Figure 6-14). Installing the AC Power Supply 331086 Figure 6-14 Step 4 Connect the power cable. If you are installing two power supplies for a redundant configuration, plug each one into a power source (we recommend a UPS).
Chapter 6 Installing the IPS 4345 and IPS 4360 Removing and Installing the Power Supply Installing DC Input Power Warning The covers are an integral part of the safety design of the product. Do not operate the unit without the covers installed. Statement 1077 Warning When you install the unit, the ground connection must always be made first and disconnected last. Statement 1046 Warning Before performing any of the following procedures, ensure that power is removed from the DC circuit.
Chapter 6 Installing the IPS 4345 and IPS 4360 Removing and Installing the Power Supply Figure 6-16 shows the back panel of the IPS 4345 with the DC power supply. IPS 4345 Back Panel 333226 Figure 6-16 1 1 2 Fixed fan 2 Fixed DC power supply Figure 6-17 shows the back panel of the IPS 4360 with two DC power supplies.
Chapter 6 Installing the IPS 4345 and IPS 4360 Removing and Installing the Power Supply To connect the DC power supply on the appliance, follow these steps: Step 1 Make sure that the chassis ground is connected on the chassis before you begin installing the DC power supply. Step 2 Turn off the circuit breaker to the power supply. Step 3 From the front of the appliance, verify that the power switch is in the Standby position.
Chapter 6 Installing the IPS 4345 and IPS 4360 Removing and Installing the Power Supply Step 6 Identify the positive, negative, and ground feed positions for the DC power supply connection.
Chapter 6 Installing the IPS 4345 and IPS 4360 Removing and Installing the Power Supply Figure 6-20 shows the DC power supply with lead wires. DC Power Supply with Lead Wires 333060 Figure 6-20 Step 7 Insert the exposed end of one of the ground wires into the inlet on the DC power supply. After you push in the wires, they are held in place with a spring, which makes the physical contact. Make sure that you cannot see any wire lead. Only wires with insulation should extend from the DC power supply.
Chapter 6 Installing the IPS 4345 and IPS 4360 Removing and Installing the Power Supply Removing and Installing the DC Power Supply Note This procedure applies only to the appliances with a removable DC power supply (IPS 4360). To remove and install a DC power supply, follow these steps: Step 1 Make sure that the chassis ground is connected on the chassis before you begin installing the DC power supply, as described in Working in an ESD Environment, page 2-4.
Chapter 6 Installing the IPS 4345 and IPS 4360 Removing and Installing the Power Supply c. Push the lever on the power supply to the left and remove the power supply by grasping the handle and then pulling the power supply out of the chassis while supporting it from beneath with the other hand (Figure 6-24).
CH A P T E R 7 Installing the IPS 4510 and IPS 4520 Contents This chapter describes the Cisco IPS 4510 and IPS 4520, and includes the following sections: • Installation Notes and Caveats, page 7-1 • Product Overview, page 7-2 • Front and Back Panel Features, page 7-3 • Specifications, page 7-8 • Accessories, page 7-9 • Memory Configurations, page 7-10 • Power Supply Module Requirements, page 7-10 • Supported SFP/SFP+ Modules, page 7-10 • Installing the IPS 4510 and IPS 4520, page 7-11 •
Chapter 7 Installing the IPS 4510 and IPS 4520 Product Overview Warning Only trained and qualified personnel should install, replace, or service this equipment. Statement 49 Caution Read the safety warnings in the Regulatory Compliance and Safety Information for the Cisco Intrusion Prevention System 4500 Series Sensor Appliance document and follow proper safety procedures when performing the steps in this guide.
Chapter 7 Installing the IPS 4510 and IPS 4520 Front and Back Panel Features IME The Intrusion Prevention System Manager Express (IME) 7.2.3 and later also support the IPS 4510 and IPS 4520. IME is a network management application that provides system health, events, and collaboration monitoring in addition to reporting and configuration for up to ten sensors.
Chapter 7 Installing the IPS 4510 and IPS 4520 Front and Back Panel Features Figure 7-2 shows the front panel indicators. Figure 7-2 Front Panel Indicators 1 USB R PW OT BO 1 M AR AL T AC 3 N VP 1 PS 5 2 4 0 PS D1 HD 7 6 1 PWR 2 BOOT 3 ALARM 4 ACT1 5 VPN2 6 PS1 7 PS0 8 HDD13 D0 HD AUX CONSOLE 253904 0 9 8 9 HDD24 1. Not supported at this time. 2. Not supported at this time. 3. Not supported at this time. 4. Not supported at this time.
Chapter 7 Installing the IPS 4510 and IPS 4520 Front and Back Panel Features Table 7-1 Front Panel Indicators (continued) Indicator Description PS1 Indicates the state of the power supply module installed on the right when facing the back panel: PS0 HDD1 HDD2 • Off—No power supply module present or no AC input. • Green—Power supply module present, on, and good. • Amber—Power or fan module off or failed.
Chapter 7 Installing the IPS 4510 and IPS 4520 Front and Back Panel Features Figure 7-3 shows the back panel features. Figure 7-3 Back Panel Features 3 1 2 7 4 6 Cisco-ASA-FAN O FA UT IL F O AN K 100-240V 15.0/8.0.
Chapter 7 Installing the IPS 4510 and IPS 4520 Front and Back Panel Features Table 7-2 describes the power supply module and fan module indicators. Table 7-2 Power Supply Module and Fan Module Indicators Indicator Description IN OK Indicates status of power supply module: FAN OK • Off—No AC power cord connected or AC power switch off. • Green—AC power cord connected and AC power switch on. Indicates status of fan module OUT FAIL • Off—Fan module failure or AC power switch off.
Chapter 7 Installing the IPS 4510 and IPS 4520 Specifications Table 7-3 Ethernet Port Indicators (continued) Indicator Description 10-Gigabit Ethernet Fiber (SFP+)/1-Gigabit Ethernet Fiber (SFP) • Left side: – Off—No 10-Gigabit Ethernet physical link – Green—10-Gigabit Ethernet physical link – Flashing green 1—Network activity • Right side: – Off—No 1-Gigabit Ethernet physical link – Green—1-Gigabit Ethernet physical link – Flashing green 1—Network activity Management port • Left side: – Green
Chapter 7 Installing the IPS 4510 and IPS 4520 Accessories Table 7-4 IPS 4510 and IPS 4520 Specifications (continued) Maximum heat dissipation 3960 BTU/hr (100 VAC) 5450 BTU/hr (200 VAC) Power supply output steady state 1200W Maximum peak 1200W Environment Temperature Operating 32°F to 104°F (0°C to 40°C) Nonoperating -40°F to 158°F (-40°C to 70°C) Airflow Front to back Relative humidity (noncondensing) Operating 10% to 90% Nonoperating 5% to 95% Altitude Operating 0 to 3000 ft (9843 ft) Nono
Chapter 7 Installing the IPS 4510 and IPS 4520 Memory Configurations Memory Configurations The IPS 4510 and IPS 4520 have up to 6 DIMM modules per CPU. DIMM population is platform-dependent. Table 7-5 shows the memory configurations. Table 7-5 Memory Configurations Model Memory IPS 4510 24-GB DRAM IPS 4520 48-GB DRAM Power Supply Module Requirements Table 7-6 lists the power supply module requirements. Table 7-6 Power Supply Module Requirements 50 V 12 V 3.3 V_STBY Maximum 52.0 V 12.2.
Chapter 7 Installing the IPS 4510 and IPS 4520 Installing the IPS 4510 and IPS 4520 Table 7-7 lists the SFP/SFP+ modules that the IPS 4510 and IPS 4520 support.
Chapter 7 Installing the IPS 4510 and IPS 4520 Installing the IPS 4510 and IPS 4520 Connect one RJ-45 connector to the Management 0/0 interface. 7 6 5 4 3 2 1 0 0 1 MGMT 0 1 USB c. 253908 b. Connect the other end of the Ethernet cable to the Ethernet port on your computer or to your management network. Caution Management and console ports are privileged administrative ports. Connecting them to an untrusted network can create security concerns.
Chapter 7 Installing the IPS 4510 and IPS 4520 Installing the IPS 4510 and IPS 4520 Connect one end of the LC cable to the SFP/SFP+ module. 9 8 7 6 253907 b. SFP/SFP + c. Step 5 Connect the other end of the LC cable to a network device, such as a router or switch. Install the electrical cables. a. Attach the power cable to the power supply module on the back of the sensor. Cisco AS A 1200W AC Cisco-A SA Cisco AS -FAN A 1200W AC IN K FAN UT O OK O AIL 253972 100-240 V 15.0/8.0 .
Chapter 7 Installing the IPS 4510 and IPS 4520 Removing and Installing the Core IPS SSP Step 6 Power on the sensor. Caution If the appliance is subjected to environmental overheating, it shuts down and you must manually power cycle it to turn it on again. Step 7 Check the PWR indicator on the front panel of the sensor to verify power socket connectivity. It should be green. To verify power supply operation, check the PS0 and PS1 indicators on the front panel. They should be green.
Chapter 7 Installing the IPS 4510 and IPS 4520 Removing and Installing the Core IPS SSP Step 7 Grasp the ejection levers at the left and right bottom of the designated slot and pull them out. SFP31 SFP20 SFP17 SFP60 5 4 3 2 4520 331818 Cisco IPS 1 0 0 1 MGMT 0 USB 1 R PW 2 BO OT M AR AL T AC N VP 1 PS 0 PS D1 HD D0 HD AUX CONSOL E RESET 1 2 1 2 Module Ejection levers Step 8 Grasp the sides of the module and pull it all the way out of the chassis.
Chapter 7 Installing the IPS 4510 and IPS 4520 Removing and Installing the Power Supply Module Removing and Installing the Power Supply Module The IPS 4510 ships with one power supply module and one fan module installed, and the IPS 4520 ships with two power supply modules installed in a load balancing/sharing configuration. This configuration ensures that if one power supply module fails, the other power supply module assumes the full load until the failed power supply module is replaced.
Chapter 7 Installing the IPS 4510 and IPS 4520 Removing and Installing the Power Supply Module Step 5 Install the new power supply module by aligning it with the power supply module bay and pushing it into place until it is seated. 2 Cisco AS A 1200W AC Cisco-A SA 253971 Cisco AS -FAN A 1200W AC 100-240V IN K 15.0/8.0. A O 56/60Hz INP N FA K OUT IL O FA UT FAN OUTPUT 100-240V 15.0/8.0.
Chapter 7 Installing the IPS 4510 and IPS 4520 Removing and Installing the Fan Module Removing and Installing the Fan Module The IPS 4510 ships with one power supply module and one fan module installed, and the IPS 4520 ships with two power supply modules instead of a power supply module and a fan module. You can replace the fan module in the IPS 4510 if necessary. The fan module is hot-pluggable.
Chapter 7 Installing the IPS 4510 and IPS 4520 Installing the Slide Rail Kit Hardware Step 3 Install the new fan module by aligning it with the fan module bay and pushing it into place until it is seated. 2 Cisco AS A 1200W AC Ci Cisc sco-A o-ASA SA-FA -FANN 100-240 V 15.0/8.0 .A 56/60Hz 253910 IN K FAN UT O OK O FAIL 3 1 2 1 Fan module and fan handle 3 Power supply module 2 Fan module screw Step 4 Tighten the captive screws.
Chapter 7 Installing the IPS 4510 and IPS 4520 Installing and Removing the Slide Rail Kit Figure 7-5 shows all of the brackets that can be removed for the fixed rack mount.
Chapter 7 Installing the IPS 4510 and IPS 4520 Installing and Removing the Slide Rail Kit Package Contents The slide rail kit package contains the following items: • Left and right slide rails • Six #10-32 screws • Two #10-32 cage nuts Installing the Chassis in the Rack To install the chassis in the rack using the slide rail kit, follow these steps: Step 1 Press the latch on the end of the slide rail and push forward to engage the pins in the rack until the clip clicks and locks around the rack pos
Chapter 7 Installing the IPS 4510 and IPS 4520 Installing and Removing the Slide Rail Kit For square hole posts, square studs must be attached fully inside the square hole on the rack rail. For threaded hole posts, the round stud must fully enter inside the threaded hole rack rail (Figure 7-8). Note After installing the square or round studs into the rack post, verify that the locking clip is fully seated and secure against the rack rail.
Chapter 7 Installing the IPS 4510 and IPS 4520 Installing and Removing the Slide Rail Kit Step 2 Caution Secure the slide rail to the rack post with the provided #10-32 screws by tightening the screws at the front and rear end of the slide rail to the rack post (Figure 7-9). Both front and rear rack posts must be secured with the screws before you install the chassis. It is critical that the screws are installed and secured to the front and rear end of the slide rails.
Chapter 7 Installing the IPS 4510 and IPS 4520 Installing and Removing the Slide Rail Kit Step 3 For square hole racks, install one #10-32 cage nut on each side of the rack rail (Figure 7-10). Leave one square hole spacing above the slide rail. The cage nut will be used later to secure the chassis to the rack post. For threaded hole racks, no additional hardware is needed.
Chapter 7 Installing the IPS 4510 and IPS 4520 Installing and Removing the Slide Rail Kit Step 4 Install the chassis on the outer rail. Make sure that the U-bars are aligned to the outer rail evenly, then push the chassis into the rack (Figure 7-11). Caution Before installing the chassis, make sure that the slide rails are properly installed and that the perforated holes on the outer slide rail align with the perforated holes on the chassis.
Chapter 7 Installing the IPS 4510 and IPS 4520 Installing and Removing the Slide Rail Kit Step 5 Tighten the screws to secure the chassis to the rack (Figure 7-12). Use the upper hole to secure the chassis to the rack. a. For square hole racks, secure the chassis to the rack by installing the #10-32 screw into the cage nut that you installed in Step 3. b. For threaded hole racks, secure the front of the chassis by installing the #10-32 screws into the rack threaded hole.
Chapter 7 Installing the IPS 4510 and IPS 4520 Installing and Removing the Slide Rail Kit Removing the Chassis from the Rack To remove the chassis from the rack, follow these steps: Step 1 Remove the screws from the front brackets of the rail post (Figure 7-13). Removing the Screws from the Outer Rail 330599 Figure 7-13 Step 2 Pull out the chassis to the locked position. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.
Chapter 7 Installing the IPS 4510 and IPS 4520 Installing and Removing the Slide Rail Kit Step 3 Press down the release hook to remove the chassis from the rack (Figure 7-14). Pressing Down the Release Hook 330564 Figure 7-14 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.
Chapter 7 Installing the IPS 4510 and IPS 4520 Rack-Mounting the Chassis Using the Fixed Rack Mount Step 4 Remove the two screws from the front and rear of the rack that are securing the slide rail, and release the latch and pull out the rails (Figure 7-15). Releasing the Latch to Pull Out the Rails 330565 Figure 7-15 Rack-Mounting the Chassis Using the Fixed Rack Mount If you are not able to use the slide rail kit in your rack installation, an optional fixed rack mount solution is available.
Chapter 7 Installing the IPS 4510 and IPS 4520 Rack-Mounting the Chassis Using the Fixed Rack Mount Position the front bracket on the side of the sensor and line up the bracket screws with the screw holes on the sensor.
Chapter 7 Installing the IPS 4510 and IPS 4520 Rack-Mounting the Chassis Using the Fixed Rack Mount (Optional) Install the proper slide-mount brackets on to the rear bracket on the chassis.
Chapter 7 Installing the IPS 4510 and IPS 4520 Installing the Cable Management Brackets Installing the Cable Management Brackets The IPS 4510 and IPS 4520 ship with two cable management brackets that you can use to organize the cables connected to the adaptive security appliance. To install the cable management brackets on the sensor, follow these steps: Step 1 Power off the sensor. Step 2 Remove the power cable from the sensor.
Chapter 7 Installing the IPS 4510 and IPS 4520 Troubleshooting Loose Connections Cable Management Brackets for the Slide Rail 333053 Figure 7-17 Step 4 Tighten the screws in to the rack. Step 5 Reattach the power cable to the sensor. Step 6 Organize the cables through the cable management brackets on the sensor. Step 7 Power on the sensor.
Chapter 7 Installing the IPS 4510 and IPS 4520 IPS 4500 Series Sensors and the SwitchApp IPS 4500 Series Sensors and the SwitchApp The 4500 series sensors have a built in switch that provides the external monitoring interfaces of the sensor. The SwitchApp is part of the IPS 4500 series design that enables the InterfaceApp and sensor initialization scripts to communicate and control the switch. Any application that needs to get or set information on the switch must communicate with the SwitchApp.
CH A P T E R 8 Installing and Removing the ASA 5500 AIP SSM Contents This chapter describes the ASA 5500 AIP SSM and contains the following sections: • Installation Notes and Caveats, page 8-1 • Product Overview, page 8-2 • Specifications, page 8-4 • Memory Specifications, page 8-4 • Hardware and Software Requirements, page 8-4 • Indicators, page 8-5 • Installation and Removal Instructions, page 8-5 Installation Notes and Caveats Pay attention to the following installation notes and caveats
Chapter 8 Installing and Removing the ASA 5500 AIP SSM Product Overview Product Overview The Cisco ASA Advanced Inspection and Prevention Security Services Module (ASA 5500 AIP SSM) is the IPS plug-in module in the Cisco ASA 5500 series adaptive security appliance. The adaptive security appliance software integrates firewall, VPN, and intrusion detection and prevention capabilities in a single platform.
Chapter 8 Installing and Removing the ASA 5500 AIP SSM Product Overview In promiscuous mode, the IPS receives packets over the GigabitEthernet interface, examines them for intrusive behavior, and generates alerts based on a positive result of the examination. In inline mode, there is the additional step of sending all packets, which did not result in an intrusion, back out the GigabitEthernet interface.
Chapter 8 Installing and Removing the ASA 5500 AIP SSM Specifications Specifications Table 8-1 lists the specifications for the ASA 5500 AIP SSM: Table 8-1 ASA 5500 AIP SSM Specifications Specification Description Dimensions (H x W x D) 1.70 x 6.80 x 11.00 inches Weight Minimum: 2.50 lb Maximum: 3.00 lb 1 Operating temperature +32° to +104°F (+0° to +40°C) Nonoperating temperature –40° to +167°F (–40° to +75°C) Humidity 10% to 90%, noncondensing 1. 2.
Chapter 8 Installing and Removing the ASA 5500 AIP SSM Indicators Indicators Figure 8-3 shows the ASA 5500 AIP SSM indicators. ASA 5500 AIP SSM Indicators D EE PW R ST AT U S 148402 SP LI NK /A CT Figure 8-3 1 2 3 4 Table 8-3 describes the ASA 5500 AIP SSM indicators. Table 8-3 ASA 5500 AIP SSM Indicators LED Color State Description 1 PWR Green On The system has power. 2 STATUS Green Flashing The system is booting. Solid The system has passed power-up diagnostics.
Chapter 8 Installing and Removing the ASA 5500 AIP SSM Installation and Removal Instructions Step 3 Remove the two screws at the left back end of the chassis, and remove the slot cover. MGMT USB2 USB1 Note Step 4 FLASH W PO ER U AT ST S E TIV AC VP N FL AS 250246 LINK SPD LIN K SPD 3 LINK 2 SPD LIN K SPD 1 0 H Store the slot cover in a safe place for future use. You must install slot covers on all empty slots. This prevents EMI, which can disrupt other equipment.
Chapter 8 Installing and Removing the ASA 5500 AIP SSM Installation and Removal Instructions • For the procedure for using HTTPS to log in to the IDM, refer to Logging In to the IDM. Verifying the Status of the ASA 5500 AIP SSM You can use the show module 1 command to verify that the ASA 5500 AIP SSM is up and running. The following values are valid for the Status field: • Initializing —The ASA 5500 AIP SSM is being detected and the control communication is being initialized by the system.
Chapter 8 Installing and Removing the ASA 5500 AIP SSM Installation and Removal Instructions Step 5 Locate the grounding strap from the accessory kit and fasten it to your wrist so that it contacts your bare skin. Attach the other end to the chassis. Step 6 Remove the two screws at the left back end of the chassis. Step 7 Remove the ASA 5500 AIP SSM and set it aside. Note Step 8 If you are not replacing the ASA 5500 AIP SSM immediately, install the blank slot cover.
CH A P T E R 9 Installing and Removing the ASA 5585-X IPS SSP Contents This chapter describes the Cisco ASA 5585-X IPS SSP, and contains the following sections: Warning • Installation Notes and Caveats, page 9-1 • Introducing the ASA 5585-X IPS SSP, page 9-2 • Specifications, page 9-3 • Hardware and Software Requirements, page 9-4 • Front Panel Features, page 9-4 • Memory Requirements, page 9-8 • SFP/SFP+ Modules, page 9-9 • Installing the ASA 5585-X IPS SSP, page 9-9 • Installing SFP/S
Chapter 9 Installing and Removing the ASA 5585-X IPS SSP Introducing the ASA 5585-X IPS SSP Introducing the ASA 5585-X IPS SSP You can install the Cisco Intrusion Prevention System Security Services Processor (ASA 5585-X IPS SSP) in the ASA-5585-X adaptive security appliance. The ASA 5585-X is a 2RU, two-slot chassis. The Security Services Processor (ASA 5585-X SSP) resides in slot 0 (the bottom slot) and the ASA 5585-X IPS SSP resides in slot 1 (the top slot).
Chapter 9 Installing and Removing the ASA 5585-X IPS SSP Specifications another power supply module for a redundant power supply configuration. The SSP-10 with IPS SSP-10 has two CPUs, six DIMM modules, two embedded crypto accelerator, and two dual-port 10-GB uplinks for the SFP/SFP+ interfaces. ASA 5585-X SSP-20 With IPS SSP-20 The ASA 5585-X SSP-20 with IPS SSP-20 provides firewall, VPN support, intrusion prevention system protection, and 20 interfaces (2 SFP/SFP+ and 18 copper Gigabit Ethernet).
Chapter 9 Installing and Removing the ASA 5585-X IPS SSP Hardware and Software Requirements Hardware and Software Requirements The ASA 5585-X IPS SSP has the following hardware and software requirements: • Cisco ASA 5585-X adaptive security appliance – ASA 5585-X SSP-10 with IPS SSP-10 – ASA 5585-X SSP-20 with IPS SSP-20 – ASA 5585-X SSP-40 with IPS SSP-40 – ASA 5585-X SSP-60 with IPS SSP-60 • Cisco Adaptive Security Appliance Software ASA 8.2(4.
Chapter 9 Installing and Removing the ASA 5585-X IPS SSP Front Panel Features 1 ASA 5585-X IPS SSP (Slot 1) 9 2 SSP (Slot 0) 10 USB port 3 SSP/ASA 5585-X IPS SSP Removal Screws 11 USB port 4 Reserved bays for hard disk drives1 12 Front panel indicators 5 TenGigabitEthernet 0/1 (10-Gb fiber, SFP, or SFP+) 13 Auxiliary port (RJ45) 6 TenGigabitEthernet 0/0 (1-Gb fiber, SFP, or SFP+) 14 Console port (RJ45) 7 GigabitEthernet 1/0 through 1/7, from 15 Eject2 right to left (1-Gb copper, RJ45)
Chapter 9 Installing and Removing the ASA 5585-X IPS SSP Front Panel Features 5 TenGigabitEthernet 1/9 ( (10-Gb fiber, SFP, or SFP+) 14 Front panel indicators 6 TenGigabitEthernet 1/8 (1-Gb fiber, SFP, or SFP+) 15 Auxiliary port (RJ45) 7 TenGigabitEthernet 1/7 (10-Gb fiber, SFP, or SFP+) 16 Console port (RJ45) 8 TenGigabitEthernet 0/6 (SSP in slot 2) TenGigabitEthernet 1/6 (ASA 5585-X IPS SSP in slot 1) (1-Gb fiber, SFP, or SFP+) 17 Eject2 9 GigabitEthernet 0/0 through 0/5 (SSP in slot 2) Gi
Chapter 9 Installing and Removing the ASA 5585-X IPS SSP Front Panel Features Table 9-2 describes the front panel indicators on the ASA 5585-X IPS SSP. Table 9-2 ASA 5585-X IPS SSP Front Panel Indicators Indicator Description PWR Indicates whether the system is off or on: BOOT ALARM • Off—No power. • Green—System has power. Indicates how the power-up diagnostics are proceeding: 1 • Flashing green—Power-up diagnostics are running or the system is booting.
Chapter 9 Installing and Removing the ASA 5585-X IPS SSP Memory Requirements Table 9-3 shows the Ethernet port indicators.
Chapter 9 Installing and Removing the ASA 5585-X IPS SSP SFP/SFP+ Modules SFP/SFP+ Modules The SFP/SFP+ module is a hot-swappable input/output device that plugs into the SFP/SFP+ ports and provides Gigabit Ethernet connectivity. The SFP and SFP+ modules are optional and not included with the ASA 5585-X IPS SSP. You can purchase them separately. For 1 Gb, you need SFP. For 10Gb, you need SFP+. The interfaces are called TenGigabitEthernet 0/x whether they are 10 Gb-enabled or not.
Chapter 9 Installing and Removing the ASA 5585-X IPS SSP Installing the ASA 5585-X IPS SSP From the front panel of the ASA 5585-X, loosen the captive screws on the upper left and right of the slot tray (slot 1), and remove it. Store it in a safe place for future use. You must install slot trays in all empty slots to maintain the proper air flow. This prevents EMI, which can disrupt other equipment.
Chapter 9 Installing and Removing the ASA 5585-X IPS SSP Installing SFP/SFP+ Modules For More Information • For more information about ESD, see Preventing Electrostatic Discharge Damage, page 2-3. • For the procedure for verifying that the ASA 5585-X IPS SSP is properly installed, see Verifying the Status of the ASA 5585-X IPS SSP, page 9-12. • For the procedure for using the setup command to initialize the ASA 5585-X IPS SSP, see Appendix B, “Initializing the Sensor.
Chapter 9 Installing and Removing the ASA 5585-X IPS SSP Verifying the Status of the ASA 5585-X IPS SSP To connect to the SFP/SFP+ port if you are using fiber ports, follow these steps: Install the SFP/SFP+ module. 9 7 6 253906 8 SFP/SFP + Step 2 Connect one end of the LC cable to the SFP/SFP+. 9 8 7 6 SFP/SFP + Step 3 253907 Step 1 Connect the other end of the LC cable to a network device, such as a router or switch.
Chapter 9 Installing and Removing the ASA 5585-X IPS SSP Removing and Replacing the ASA 5585-X IPS SSP To verify the status of the ASA 5585-X IPS SSP, follow these steps: Step 1 Log in to the adaptive security appliance. Step 2 Verify the status of the ASA 5585-X IPS SSP: asa# show module 1 Mod Card Type Model Serial No.
Chapter 9 Installing and Removing the ASA 5585-X IPS SSP Removing and Replacing the ASA 5585-X IPS SSP Grasp the ejection levers at the left and right bottom of the module slot and pull them out.
Chapter 9 Installing and Removing the ASA 5585-X IPS SSP Removing and Replacing the ASA 5585-X IPS SSP Step 11 Replace the screws. Step 12 Reconnect the power cable to the ASA 5585-X. Step 13 Power on the ASA 5585-X. Step 14 Verify that the PWR indicator on the front panel is green. You can also verify that the ASA 5585-X IPS SSP is online using the show module 1 command.
Chapter 9 Installing and Removing the ASA 5585-X IPS SSP Removing and Replacing the ASA 5585-X IPS SSP Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.
A P P E N D I X A Logging In to the Sensor Contents This chapter explains how to log in to the sensor. All IPS platforms allow ten concurrent log in sessions.
Appendix A Logging In to the Sensor Logging In to the Appliance For More Information For the procedure for creating the service account, refer to Creating the Service Account, page E-5. Logging In to the Appliance Note You can log in to the appliance from a console port. The currently supported Cisco IPS appliances are the IPS 4240, IPS 4255, and IPS 4260 [IPS 7.0(x) and later and IPS 7.1(5) and later], IPS 4270-20 [IPS 7.1(3) and later], IPS 4345 and IPS 4360 [IPS 7.
Appendix A Logging In to the Sensor Connecting an Appliance to a Terminal Server Connecting an Appliance to a Terminal Server A terminal server is a router with multiple, low speed, asynchronous ports that are connected to other serial devices. You can use terminal servers to remotely manage network equipment, including appliances.
Appendix A Logging In to the Sensor Logging In to the ASA 5500 AIP SSP Logging In to the ASA 5500 AIP SSP You log in to the ASA 5500 AIP SSM from the adaptive security appliance. To session in to the ASA 5500 AIP SSM from the adaptive security appliance, follow these steps: Step 1 Log in to the adaptive security appliance. Note Step 2 If the adaptive security appliance is operating in multi-mode, use the change system command to get to the system level prompt before continuing.
Appendix A Logging In to the Sensor Logging In to the ASA 5500-X IPS SSP Logging In to the ASA 5500-X IPS SSP You log in to the ASA 5500-X IPS SSP from the adaptive security appliance. To session in to the ASA 5500-X IPS SSP from the adaptive security appliance, follow these steps: Step 1 Log in to the adaptive security appliance. Note Step 2 If the adaptive security appliance is operating in multi-mode, use the change system command to get to the system level prompt before continuing.
Appendix A Logging In to the Sensor Logging In to the ASA 5585-X IPS SSP For More Information For the procedure for using the setup command to initialize the ASA 5500-X IPS SSP, see Advanced Setup for the ASA 5500-X IPS SSP, page B-17 Logging In to the ASA 5585-X IPS SSP You log in to the ASA 5585-X IPS SSP from the adaptive security appliance. To session in to the ASA 5585-X IPS SSP from the adaptive security appliance, follow these steps: Step 1 Log in to the adaptive security appliance.
Appendix A Logging In to the Sensor Logging In to the Sensor For More Information For the procedure for initializing the ASA 5585-X IPS SSP using the setup command, see Advanced Setup for the ASA 5585-X IPS SSP, page B-21. Logging In to the Sensor Note After you have initialized the sensor using the setup command and enabled Telnet, you can use SSH or Telnet to log in to the sensor.
Appendix A Logging In to the Sensor Logging In to the Sensor Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.
A P P E N D I X B Initializing the Sensor Contents This chapter describes how to use the setup command to initialize the sensor, and contains the following sections: • Understanding Initialization, page B-1 • Simplified Setup Mode, page B-2 • System Configuration Dialog, page B-2 • Basic Sensor Setup, page B-4 • Advanced Setup, page B-7 • Verifying Initialization, page B-24 Understanding Initialization After you install the sensor on your network, you must use the setup command to initialize i
Appendix B Initializing the Sensor Simplified Setup Mode Simplified Setup Mode The sensor automatically calls the setup command when you connect to the sensor using a console cable and the sensor basic network settings have not yet been configured. The sensor does not call automatic setup under the following conditions: • When initialization has already been successfully completed. • If you have recovered or downgraded the sensor.
Appendix B Initializing the Sensor System Configuration Dialog Default settings are in square brackets '[]'. Current time: Wed Nov 11 21:19:51 2009 Setup Configuration last modified: Enter host name[sensor]: Enter IP interface[192.168.1.2/24,192.168.1.1]: Modify current access list?[no]: Current access list entries: [1] 0.0.0.0/0 Delete: Permit: Use DNS server for Global Correlation?[no]: DNS server IP address[171.68.226.
Appendix B Initializing the Sensor Basic Sensor Setup Purpose: Tracks product efficacy Participation Level = "Full" additionally includes: * Type of Data: Victim IP Address and port Purpose: Detect threat behavioral patterns Do you agree to participate in the SensorBase Network?[no]: For More Information For detailed information on the global correlationfeatures, for the IDM refer to Configuring Global Correlation, for the IME refer to Configuring Global Correlation, and for the CLI, refer to Configuri
Appendix B Initializing the Sensor Basic Sensor Setup Step 7 Caution Step 8 You must configure a DNS server or an HTTP proxy server for global correlation to operate: a. Enter yes to add a DNS server, and then enter the DNS server IP address. b. Enter yes to add an HTTP proxy server, and then enter the HTTP proxy server IP address and port number. You must have a valid sensor license for global correlation features to function.
Appendix B Initializing the Sensor Basic Sensor Setup Step 9 o. Specify the standard time zone offset. Specify the standard time zone offset from UTC in minutes (negative numbers represent time zones west of the Prime Meridian). The default is 0. p. Enter yes if you want to use NTP. To use authenticated NTP, you need the NTP server IP address, the NTP key ID, and the NTP key value. If you do not have those at this time, you can configure NTP later. Otherwise, you can choose unauthenticated NTP.
Appendix B Initializing the Sensor Advanced Setup exit service global-correlation network-participation full exit [0] [1] [2] [3] Step 11 Go to the command prompt without saving this config. Return to setup without saving this config. Save this configuration and exit setup. Continue to Advanced setup. Enter 2 to save the configuration (or 3 to continue with advanced setup using the CLI). Enter your selection[2]: 2 Configuration Saved.
Appendix B Initializing the Sensor Advanced Setup Note Adding new subinterfaces is a two-step process. You first organize the interfaces when you edit the virtual sensor configuration. You then choose which interfaces and subinterfaces are assigned to which virtual sensors. The interfaces change according to the appliance model, but the prompts are the same for all models.
Appendix B Initializing the Sensor Advanced Setup Note The following options let you create and delete interfaces. You assign the interfaces to virtual sensors in the virtual sensor configuration. If you are using promiscuous mode for your interfaces and are not subdividing them by VLAN, no additional configuration is necessary. [1] Remove interface configurations. [2] Add/Modify Inline Vlan Pairs. [3] Add/Modify Promiscuous Vlan Groups. [4] Add/Modify Inline Interface Pairs.
Appendix B Initializing the Sensor Advanced Setup [3] Add/Modify Promiscuous Vlan Groups. [4] Add/Modify Inline Interface Pairs. [5] Add/Modify Inline Interface Pair Vlan Groups. [6] Modify interface default-vlan. Option: Step 14 Enter 4 to add an inline interface pair and see these options. Available Interfaces GigabitEthernet0/1 GigabitEthernet0/2 GigabitEthernet0/3 Step 15 Enter the pair name, description, and which interfaces you want to pair.
Appendix B Initializing the Sensor Advanced Setup Step 21 Enter 4 to add inline interface pair NewPair. Step 22 Press Enter to return to the top-level virtual sensor menu. Virtual Sensor: vs0 Anomaly Detection: ad0 Event Action Rules: rules0 Signature Definitions: sig0 Inline Vlan Pair: GigabitEthernet0/0:1 (Vlans: 200, 300) Inline Interface Pair: newPair (GigabitEthernet0/1, GigabitEthernet0/2) [1] Remove virtual sensor. [2] Modify "vs0" virtual sensor configuration. [3] Create new virtual sensor.
Appendix B Initializing the Sensor Advanced Setup subinterface-type inline-vlan-pair subinterface 1 description Created via setup by user asmith vlan1 200 vlan2 300 exit exit exit physical-interfaces GigabitEthernet0/1 admin-state enabled exit physical-interfaces GigabitEthernet0/2 admin-state enabled exit physical-interfaces GigabitEthernet0/0 admin-state enabled exit inline-interfaces newPair description Created via setup by user asmith interface1 GigabitEthernet0/1 interface2 GigabitEthernet0/2 exit e
Appendix B Initializing the Sensor Advanced Setup Step 30 Apply the most recent service pack and signature update. You are now ready to configure your appliance for intrusion prevention. For More Information • For the procedure for obtaining the most recent IPS software, see Obtaining Cisco IPS Software, page C-1 • For the procedure for using HTTPS to log in to the IDM, refer to Logging In to the IDM.
Appendix B Initializing the Sensor Advanced Setup Note You do not need to configure interfaces on the ASA 5500 AIP SSM. You should ignore the modify interface default VLAN setting. The separation of traffic across virtual sensors is configured differently for the ASA 5500 AIP SSM than for other sensors. [1] Modify interface default-vlan. Option: Step 8 Press Enter to return to the top-level interface and virtual sensor configuration menu.
Appendix B Initializing the Sensor Advanced Setup Step 15 Enter 1 to use the existing anomaly detection configuration, ad0. Signature Definition Configuration [1] sig0 [2] Create a new signature definition configuration Option[2]: Step 16 Enter 2 to create a signature-definition configuration file. Step 17 Enter the signature-definition configuration name, newSig .
Appendix B Initializing the Sensor Advanced Setup no login-banner-text exit time-zone-settings offset 0 standard-time-zone-name UTC exit summertime-option disabled ntp-option disabled exit service web-server port 342 exit service analysis-engine virtual-sensor newVs description New Sensor signature-definition newSig event-action-rules rules0 anomaly-detection anomaly-detection-name ad0 exit physical-interfaces GigabitEthernet0/1 exit exit service event-action-rules rules0 overrides deny-packet-inline ove
Appendix B Initializing the Sensor Advanced Setup For More Information • For the procedure for obtaining the most recent IPS software, see Obtaining Cisco IPS Software, page C-1 • For the procedure for using HTTPS to log in to the IDM, refer to Logging In to the IDM. • For the procedures for configuring intrusion prevention on your sensor, refer to the following guides: – Cisco Intrusion Prevention System Device Manager Configuration Guide for IPS 7.
Appendix B Initializing the Sensor Advanced Setup [1] Modify interface default-vlan. Option: Step 8 Press Enter to return to the top-level interface and virtual sensor configuration menu. [1] Edit Interface Configuration [2] Edit Virtual Sensor Configuration [3] Display configuration Option: Step 9 Enter 2 to edit the virtual sensor configuration. [1] Remove virtual sensor. [2] Modify "vs0" virtual sensor configuration. [3] Create new virtual sensor.
Appendix B Initializing the Sensor Advanced Setup Step 17 Enter the signature-definition configuration name, newSig . Event Action Rules Configuration [1] rules0 [2] Create a new event action rules configuration Option[2]: Step 18 Enter 1 to use the existing event-action-rules configuration, rules0. Note If PortChannel 0/0 has not been assigned to vs0, you are prompted to assign it to the new virtual sensor.
Appendix B Initializing the Sensor Advanced Setup exit service web-server port 342 exit service analysis-engine virtual-sensor newVs description New Sensor signature-definition newSig event-action-rules rules0 anomaly-detection anomaly-detection-name ad0 exit physical-interfaces PortChannel0/0 exit exit service event-action-rules rules0 overrides deny-packet-inline override-item-status Disabled risk-rating-range 90-100 exit exit [0] Go to the command prompt without saving this config.
Appendix B Initializing the Sensor Advanced Setup – Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.1 Advanced Setup for the ASA 5585-X IPS SSP To continue with advanced setup for the ASA 5585-X IPS SSP, follow these steps: Step 1 Session in to the ASA 5585-X IPS SSP using an account with administrator privileges. asa# session 1 Step 2 Enter the setup command. The System Configuration Dialog is displayed.
Appendix B Initializing the Sensor Advanced Setup Step 9 Enter 2 to edit the virtual sensor configuration. [1] Remove virtual sensor. [2] Modify "vs0" virtual sensor configuration. [3] Create new virtual sensor. Option: Step 10 Enter 2 to modify the virtual sensor vs0 configuration. Virtual Sensor: vs0 Anomaly Detection: ad0 Event Action Rules: rules0 Signature Definitions: sig0 No Interfaces to remove.
Appendix B Initializing the Sensor Advanced Setup Note If PortChannel 0/0 has not been assigned to vs0, you are prompted to assign it to the new virtual sensor. Virtual Sensor: newVs Anomaly Detection: ad0 Event Action Rules: rules0 Signature Definitions: newSig Monitored: PortChannel0/0 [1] Remove [2] Modify [3] Modify [4] Create Option: Step 19 virtual sensor. "newVs" virtual sensor configuration. "vs0" virtual sensor configuration. new virtual sensor.
Appendix B Initializing the Sensor Verifying Initialization event-action-rules rules0 anomaly-detection anomaly-detection-name ad0 exit physical-interfaces PortChannel0/0 exit exit service event-action-rules rules0 overrides deny-packet-inline override-item-status Disabled risk-rating-range 90-100 exit exit [0] Go to the command prompt without saving this config. [1] Return back to the setup without saving this config. [2] Save this configuration and exit setup.
Appendix B Initializing the Sensor Verifying Initialization To verify that you initialized your sensor, follow these steps: Step 1 Log in to the sensor. Step 2 View your configuration. sensor# show configuration ! -----------------------------! Current configuration last modified Tue Nov 01 10:40:39 2011 ! -----------------------------! Version 7.1(3) ! Host: ! Realm Keys key1.0 ! Signature Definition: ! Signature Update S581.
Appendix B Initializing the Sensor Verifying Initialization summary-mode fire-all exit exit status enabled true exit exit exit ! -----------------------------service ssh-known-hosts rsa1-keys 10.89.146.
CH A P T E R C Obtaining Software Contents This chapter provides information on obtaining Cisco IPS software for the sensor. It contains the following sections: • Obtaining Cisco IPS Software, page C-1 • IPS 7.1 Files, page C-2 • IPS Software Versioning, page C-3 • IPS Software Release Examples, page C-6 • Accessing IPS Documentation, page C-7 • Cisco Security Intelligence Operations, page C-8 • Obtaining a License Key From Cisco.
Appendix C Obtaining Software IPS 7.1 Files Step 3 Under Select a Software Product Category, choose Security Software. Step 4 Choose Intrusion Prevention System (IPS). Step 5 Enter your username and password. Step 6 In the Download Software window, choose IPS Appliances > Cisco Intrusion Prevention System and then click the version you want to download. Note You must have an IPS subscription service license to download software. Step 7 Click the type of software file you need.
Appendix C Obtaining Software IPS Software Versioning IPS Software Versioning When you download IPS software images from Cisco.com, you should understand the versioning scheme so that you know which files are base files, which are cumulative, and which are incremental. This section describes the various IPS software files. Major Update A major update contains new functionality or an architectural change in the product. For example, the Cisco IPS 7.
Appendix C Obtaining Software IPS Software Versioning Figure C-1 illustrates what each part of the IPS software file represents for major and minor updates, service packs, and patch releases. Figure C-1 IPS Software File Name for Major and Minor Updates, Service Packs, and Patch Releases IPS-identifier-K9-x.y-z[a or p1]-E1.
Appendix C Obtaining Software IPS Software Versioning Signature Engine Update A signature engine update is an executable file containing binary code to support new signature updates. Signature engine files require a specific service pack, which is also identified by the req designator. Figure C-3 illustrates what each part of the IPS software file represents for signature engine updates. Figure C-3 IPS Software File Name for Signature Engine Updates IPS-identifier-[engine]-[E]-req-x.y-z.
Appendix C Obtaining Software IPS Software Release Examples IPS Software Release Examples Table C-1 lists platform-independent Cisco IPS software release examples. Table C-1 Platform-Independent Release Examples Release Signature update 1 Target Frequency Example Identifier Version Example Filename Weekly sig S552 IPS-identifier-sig-S552-req-E4.pkg Signature engine update2 As needed engine E4 IPS-identifier-engine-E4-req-7.1-2.pkg Service packs3 Every three months — 7.
Appendix C Obtaining Software Accessing IPS Documentation Table C-1 describes the platform identifiers used in platform-specific names.
Appendix C Obtaining Software Cisco Security Intelligence Operations Note Step 5 Although you will see references to other IPS documentation sites on Cisco.com, this is the site with the most complete and up-to-date IPS documentation. Click one of the following categories to access Cisco IPS documentation: • Download Software—Takes you to the Download Software site. Note You must be logged into Cisco.com to access the software download site.
Appendix C Obtaining Software Obtaining a License Key From Cisco.com • Obtaining a License for the IPS 4270-20, page C-14 • Licensing the ASA 5500-X IPS SSP, page C-15 • Uninstalling the License Key, page C-15 Understanding Licensing Although the sensor functions without the license key, you must have a license key to obtain signature updates and use the global correlation features.
Appendix C Obtaining Software Obtaining a License Key From Cisco.com When you purchase the following IPS products you must also purchase a Cisco Services for IPS service contract: • IPS 4240 • IPS 4255 • IPS 4260 • IPS 4270-20 • IPS 4345 • IPS 4360 • IPS 4510 • IPS 4520 When you purchase an ASA 5500 series adaptive security appliance product that does not contain IPS, you must purchase a SMARTnet contract. Note SMARTnet provides operating system updates, access to Cisco.
Appendix C Obtaining Software Obtaining a License Key From Cisco.com Step 3 The Licensing pane displays the status of the current license. If you have already installed your license, you can click Download to save it if needed. Step 4 Obtain a license key by doing one of the following: • Click the Cisco.com radio button to obtain the license from Cisco.com. The IDM or the IME contacts the license server on Cisco.com and sends the server the serial number to obtain the license key.
Appendix C Obtaining Software Obtaining a License Key From Cisco.com Use the copy source-url license_file_name license-key command to copy the license key to your sensor. The following options apply: • source-url—The location of the source file to be copied. It can be a URL or keyword. • destination-url—The location of the destination file to be copied. It can be a URL or a keyword. • license-key—The subscription license file. • license_file_name—The name of the license file you receive.
Appendix C Obtaining Software Obtaining a License Key From Cisco.com Note You must have the correct IPS device serial number and product identifier (PID) because the license key only functions on the device with that number. Step 4 Save the license key to a system that has a Web server, FTP server, or SCP server. Step 5 Log in to the CLI using an account with administrator privileges. Step 6 Copy the license key to the sensor. sensor# copy scp://user@192.168.1.2/24://tftpboot/dev.
Appendix C Obtaining Software Obtaining a License Key From Cisco.com For More Information • For the procedure for adding a remote host to the SSH known hosts list, for the IDM refer to Defining Known Hosts Keys, for the IME refer to Defining Known Host Keys, and for the CLI, refer to Adding Hosts to the SSH Known Hosts List.
Appendix C Obtaining Software Obtaining a License Key From Cisco.com Licensing the ASA 5500-X IPS SSP For the ASA 5500-X series adaptive security appliances with the IPS SSP, the ASA requires the IPS Module license. To view your current ASA licenses, in ASDM choose Home > Device Dashboard > Device Information > Device License. For more information about ASA licenses, refer to the licensing chapter in the configuration guide.
Appendix C Obtaining Software Obtaining a License Key From Cisco.com system is using 33.6M out of 160.0M bytes of available disk space (21% usage) application-data is using 70.5M out of 169.4M bytes of available disk space (44% usage) boot is using 62.5M out of 70.1M bytes of available disk space (94% usage) application-log is using 494.0M out of 513.
A P P E N D I X D Upgrading, Downgrading, and Installing System Images Contents This chapter describes how to upgrade, downgrade, and install system images.
Appendix D Upgrading, Downgrading, and Installing System Images Upgrades, Downgrades, and System Images • You cannot use the downgrade command to revert to a previous major or minor version, for example, from Cisco IPS 7.1 to 7.0. You can only use the downgrade command to downgrade from the latest signature update or signature engine update. To revert to 7.0, you must reimage the sensor. • All user configuration settings are lost when you install the system image.
Appendix D Upgrading, Downgrading, and Installing System Images Upgrading the Sensor For More Information • For the procedure for downloading IPS software updates from Cisco.com, see Obtaining Cisco IPS Software, page C-1. • For the procedure for configuring automatic updates, see Configuring Automatic Upgrades, page D-6. Upgrading the Sensor This section explains how to use the upgrade command to upgrade the software on the sensor. It contains the following topics: • IPS 7.
Appendix D Upgrading, Downgrading, and Installing System Images Upgrading the Sensor Note You are prompted for a password. – scp:—Source URL for the SCP network server. The syntax for this prefix is: scp://[[username@]location][/relativeDirectory]/filename scp://[[username@]location][//absoluteDirectory]/filename Note You are prompted for a password. You must add the remote host to the SSH known hosts list. – http:—Source URL for the web server.
Appendix D Upgrading, Downgrading, and Installing System Images Upgrading the Sensor Step 7 Note Major updates, minor updates, and service packs may force a restart of the IPS processes or even force a reboot of the sensor to complete installation. Note The operating system is reimaged and all files that have been placed on the sensor through the service account are removed. Verify your new sensor version. sensor# show version Application Partition: Cisco Intrusion Prevention System, Version 7.
Appendix D Upgrading, Downgrading, and Installing System Images Configuring Automatic Upgrades Upgrading the Recovery Partition Use the upgrade command to upgrade the recovery partition with the most recent version so that it is ready if you need to recover the application partition on your sensor. Recovery partition images are generated for major and minor updates and only in rare situations for service packs or signature updates.
Appendix D Upgrading, Downgrading, and Installing System Images Configuring Automatic Upgrades Understanding Automatic Upgrades Caution In IPS 7.1(5)E4 and later the default value of the Cisco server IP address has been changed from 198.133.219.25 to 72.163.4.161 in the Auto Update URL configuration. If you have automatic update configured on your sensor, you may need to update firewall rules to allow the sensor to connect to this new IP address.
Appendix D Upgrading, Downgrading, and Installing System Images Configuring Automatic Upgrades • schedule-option—Specifies the schedules for when Cisco server automatic upgrades occur. Calendar scheduling starts upgrades at specific times on specific days. Periodic scheduling starts upgrades at specific periodic intervals. – calendar-schedule—Configures the days of the week and times of day that automatic upgrades will be performed.
Appendix D Upgrading, Downgrading, and Installing System Images Configuring Automatic Upgrades Step 3 Configure the sensor to automatically look for new upgrades either on Cisco.com or on your file server: a. On Cisco.com. Continue with Step 4. sensor(config-hos-aut)# cisco-server enabled b. From your server. sensor(config-hos-aut)# user-server enabled c. Specify the IP address of the file server. sensor(config-hos-ena)# ip-address 10.1.1.1 d.
Appendix D Upgrading, Downgrading, and Installing System Images Downgrading the Sensor user-name: tester password: file-copy-protocol: ftp default: scp ----------------------------------------------sensor(config-hos-ena)# Step 8 Exit automatic upgrade submode. sensor(config-hos-ena)# exit sensor(config-hos)# exit Apply Changes:?[yes]: Step 9 Press Enter to apply the changes or type no to discard them.
Appendix D Upgrading, Downgrading, and Installing System Images Recovering the Application Partition Recovering the Application Partition You can recover the application partition image for the sensor if it becomes unusable. Some network configuration information is retained when you use this method, which lets you have network access after the recovery is performed.
Appendix D Upgrading, Downgrading, and Installing System Images Installing System Images For More Information • For the procedure for upgrading the recovery partition to the most recent version, see Upgrading the Recovery Partition, page D-6. • For a list of supported TFTP servers, see TFTP Servers, page D-13. • For the procedure for locating software on Cisco.com, see Obtaining Cisco IPS Software, page C-1. • For the procedure for using the setup command, see Appendix B, “Initializing the Sensor.
Appendix D Upgrading, Downgrading, and Installing System Images Installing System Images TFTP Servers ROMMON uses TFTP to download an image and launch it. TFTP does not address network issues such as latency or error recovery. It does implement a limited packet integrity check so that packets arriving in sequence with the correct integrity value have an extremely low probability of error.
Appendix D Upgrading, Downgrading, and Installing System Images Installing System Images Installing the IPS 4270-20 System Image You can install the IPS 4270-20 system image by using the ROMMON on the appliance to TFTP the system image onto the compact flash device. To install the IPS 4270-20 system image, follow these steps: Step 1 Download the IPS 4270-20 system image file to the tftp root directory of a TFTP server that is accessible from your IPS 4270-20.
Appendix D Upgrading, Downgrading, and Installing System Images Installing System Images • Gateway—Specifies the gateway IP address used by the IPS 4270-20. • Port—Specifies the Ethernet interface used for IPS 4270-20 management. • VLAN—Specifies the VLAN ID number (leave as untagged). • Image—Specifies the system image file/path name. • Config—Unused by these platforms. Note Step 5 Not all values are required to establish network connectivity.
Appendix D Upgrading, Downgrading, and Installing System Images Installing System Images Step 11 Download and install the system image. rommon> tftp Caution Note To avoid corrupting the system image, do not remove power from the IPS 4270-20 while the system image is being installed. If the network settings are correct, the system downloads and boots the specified image on the IPS 4270-20. Be sure to use the IPS 4270-20 image.
Appendix D Upgrading, Downgrading, and Installing System Images Installing System Images 00 00 00 00 00 00 00 00 02 03 03 03 03 03 04 04 1D 1D 1D 1E 1F 1F 1F 1F 01 01 02 02 03 03 02 03 04 05 07 00 00 02 03 05 00 00 00 01 00 01 00 00 8086 8086 8086 8086 8086 8086 8086 8086 8086 177D 8086 8086 8086 8086 8086 8086 25AB 25AC 25AD 244E 25A1 25A3 25A4 25A6 1075 0003 1079 1079 1079 1079 1209 1209 System IRQ Controller Serial Bus PCI-to-PCI Bridge ISA Bridge IDE Controller Serial Bus Audio Ethernet Encrypt/D
Appendix D Upgrading, Downgrading, and Installing System Images Installing System Images • Config—Unused by these platforms. Note Step 5 Not all values are required to establish network connectivity. The address, server, gateway, and image values are required. If you are not sure of the settings needed for your local environment, contact your system administrator. If necessary, change the interface used for the TFTP download.
Appendix D Upgrading, Downgrading, and Installing System Images Installing System Images Step 11 Enter set and press Enter to verify the network settings. Note Step 12 You can use the sync command to store these settings in NVRAM so they are maintained across boots. Otherwise, you must enter this information each time you want to boot an image from ROMMON. Download and install the system image.
Appendix D Upgrading, Downgrading, and Installing System Images Installing System Images Use BREAK or ESC to interrupt boot. Use SPACE to begin boot immediately. The system enters ROMMON mode. The rommon> prompt appears. Step 4 Check the current network settings. rommon> set ROMMON Variable Settings: ADDRESS=0.0.0.0 SERVER=0.0.0.0 GATEWAY=0.0.0.
Appendix D Upgrading, Downgrading, and Installing System Images Installing System Images Step 9 If necessary define the path and filename on the TFTP file server from which you are downloading the image. rommon> IMAGE=path/file_name UNIX Example rommon> IMAGE=/system_images/IPS-4510-K9-sys-1.1-a-7.1-4-E4.img Note The path is relative to the UNIX TFTP server default tftpboot directory.
Appendix D Upgrading, Downgrading, and Installing System Images Installing System Images To install the system image on the ASA 5500-X IPS SSP, follow these steps: Step 1 Download the IPS system image file corresponding to your ASA platform to the tftp root directory of a TFTP server that is accessible from your adaptive security appliance. Note Make sure you can access the TFTP server location from the network connected to the Ethernet port of the adaptive security appliance.
Appendix D Upgrading, Downgrading, and Installing System Images Installing System Images Note Step 8 To debug any errors that may happen in the recovery process, use the debug module-boot command to enable debugging of the system reimaging process. Session to the ASA 5500-X IPS SSP and initialize it with the setup command. For More Information • For a list of recommended TFTP servers, see TFTP Servers, page D-13.
Appendix D Upgrading, Downgrading, and Installing System Images Installing System Images Step 3 Enter enable mode. asa# enable Step 4 Configure the recovery settings for the ASA 5585-X IPS SSP. asa (enable)# hw-module module 1 recover configure Note Step 5 If you make an error in the recovery configuration, use the hw-module module 1 recover stop command to stop the system reimaging and then you can correct the configuration. Specify the TFTP URL for the software image. Image URL [tftp://0.0.0.
Appendix D Upgrading, Downgrading, and Installing System Images Installing System Images App. name: App. Status: App. Status Desc: App. version: Data plane Status: Status: Mgmt IP addr: Mgmt Network mask: Mgmt Gateway: Mgmt Access List: Mgmt Access List: Mgmt web ports: Mgmt TLS enabled asa# IPS Up Normal Operation 7.1(3)E4 Up Up 192.0.2.0 255.255.255.0 10.89.148.254 10.0.0.0/8 64.0.0.0/8 443 true Note The Status field in the output indicates the operational status of the ASA 5585-X IPS SSP.
Appendix D Upgrading, Downgrading, and Installing System Images Installing System Images Step 2 Boot the ASA 5585-X IPS SSP. Booting system, please wait... CISCO SYSTEMS Embedded BIOS Version 0.
Appendix D Upgrading, Downgrading, and Installing System Images Installing System Images Note Step 5 Not all values are required to establish network connectivity. The address, server, gateway, and image values are required. If you are not sure of the settings needed for your local environment, contact your system administrator. If necessary, change the interface used for the TFTP download.
Appendix D Upgrading, Downgrading, and Installing System Images Installing System Images Step 11 Enter set and press Enter to verify the network settings. Note Step 12 You can use the sync command to store these settings in NVRAM so they are maintained across boots. Otherwise, you must enter this information each time you want to boot an image from ROMMON. Download and install the system image.
A P P E N D I X E Troubleshooting Contents This appendix contains troubleshooting tips and procedures for sensors and software.
Appendix E Troubleshooting Preventive Maintenance • Creating the Service Account, page E-5 Understanding Preventive Maintenance The following actions will help you maintain your sensor: Caution • Back up a good configuration. If your current configuration becomes unusable, you can replace it with the backup version. • Save your backup configuration to a remote system. • Always back up your configuration before you do a manual upgrade.
Appendix E Troubleshooting Preventive Maintenance sensor# copy /erase backup-config current-config Backing Up and Restoring the Configuration File Using a Remote Server Note We recommend copying the current configuration file to a remote server before upgrading. Use the copy [/erase] source_url destination_url keyword command to copy the configuration file to a remote server. You can then restore the current configuration from the remote server.
Appendix E Troubleshooting Preventive Maintenance Caution Copying a configuration file from another sensor may result in errors if the sensing interfaces and virtual sensors are not configured the same. Backing Up the Current Configuration to a Remote Server To back up your current configuration to a remote server, follow these steps: Step 1 Log in to the CLI using an account with administrator privileges. Step 2 Back up the current configuration to the remote server.
Appendix E Troubleshooting Preventive Maintenance Creating the Service Account You can create a service account for TAC to use during troubleshooting. Although more than one user can have access to the sensor, only one user can have service privileges on a sensor. The service account is for support purposes only. The root user password is synchronized to the service account password when the service account is created.
Appendix E Troubleshooting Disaster Recovery ************************ WARNING ******************************************************* UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED. This account is intended to be used for support and troubleshooting purposes only. Unauthorized modifications are not supported and will require this device to be reimaged to guarantee proper operation.
Appendix E Troubleshooting Recovering the Password • For the procedure for using a remote server to copy and restore the a configuration file, see Backing Up and Restoring the Configuration File Using a Remote Server, page E-3. • For the procedure for adding hosts to the SSH known hosts list, refer to Adding Hosts to the SSH Known Hosts Lists. • For the procedure for adding users and obtaining a list of the current users on the sensor, refer to Configuring User Parameters.
Appendix E Troubleshooting Recovering the Password Recovering the Password for the Appliance This section describes the two ways to recover the password for appliances. It contains the following topics: • Using the GRUB Menu, page E-8 • Using ROMMON, page E-8 Using the GRUB Menu Note You must have a terminal server or direct serial connection to the appliance to use the GRUB menu to recover the password.
Appendix E Troubleshooting Recovering the Password Step 3 Enter the following commands to reset the password: confreg 0x7 boot Sample ROMMON session: Booting system, please wait... CISCO SYSTEMS Embedded BIOS Version 1.0(11)2 01/25/06 13:21:26.17 ... Evaluating BIOS Options... Launch BIOS Extension to setup ROMMON Cisco Systems ROMMON Version (1.0(11)2) #0: Thu Jan 26 10:43:08 PST 2006 Platform IPS-4360-K9 Use BREAK or ESC to interrupt boot. Use SPACE to begin boot immediately. Boot interrupted.
Appendix E Troubleshooting Recovering the Password Mod MAC Address Range Hw Version Fw Version Sw Version --- --------------------------------- ------------ ------------ --------------ips 503d.e59c.7c4c to 503d.e59c.7c4c N/A N/A 7.1(4)E4 Mod SSM Application Name Status SSM Application Version --- ------------------------------ ---------------- -------------------------ips IPS Up 7.
Appendix E Troubleshooting Recovering the Password Using the ASDM To reset the password in the ASDM, follow these steps: Step 1 From the ASDM menu bar, choose Tools > IPS Password Reset. Note This option does not appear in the menu if there is no IPS present. Step 2 In the IPS Password Reset confirmation dialog box, click OK to reset the password to the default (cisco). A dialog box displays the success or failure of the password reset.
Appendix E Troubleshooting Recovering the Password Mod Status Data Plane Status Compatibility --- ------------------ --------------------- ------------1 Up Up Step 4 Session to the ASA 5585-X IPS SSP. asa# session 1 Opening command session with slot 1. Connected to slot 1. Escape character sequence is 'CTRL-^X'. Step 5 Enter the default username (cisco) and password (cisco) at the login prompt.
Appendix E Troubleshooting Recovering the Password Step 3 Click Close to close the dialog box. The sensor reboots. Disabling Password Recovery Caution If you try to recover the password on a sensor on which password recovery is disabled, the process proceeds with no errors or warnings; however, the password is not reset. If you cannot log in to the sensor because you have forgotten the password, and password recovery is set to disabled, you must reimage your sensor.
Appendix E Troubleshooting Time Sources and the Sensor sensor (config)# service host sensor (config-hos)# Step 3 Verify the state of password recovery by using the include keyword to show settings in a filtered output.
Appendix E Troubleshooting Time Sources and the Sensor The IPS Standalone Appliances Note • Use the clock set command to set the time. This is the default. • Configure the appliance to get its time from an NTP time synchronization source. The currently supported Cisco IPS appliances are the IPS 4240, IPS 4255, and IPS 4260 [IPS 7.0(x) and later and IPS 7.1(5) and later], IPS 4270-20 [IPS 7.1(3) and later], IPS 4345 and IPS 4360 [IPS 7.1(3) and later], and IPS 4510 and IPS 4520 [IPS 7.
Appendix E Troubleshooting Advantages and Restrictions of Virtualization ... Step 3 Generate the hosts statistics again after a few minutes. sensor# show statistics host ... NTP Statistics remote refid st t when poll reach *11.22.33.44 CHU_AUDIO(1) 8 u 22 64 377 LOCAL(0) 73.78.73.84 5 l 22 64 377 ind assID status conf reach auth condition last_event 1 10372 f624 yes yes ok sys.peer reachable 2 10373 9024 yes yes none reject reachable status = Synchronized Step 4 delay 0.518 0.000 cnt 2 2 offset 37.
Appendix E Troubleshooting Supported MIBs Virtualization has the following restrictions: • You must assign both sides of asymmetric traffic to the same virtual sensor. • Using VACL capture or SPAN (promiscuous monitoring) is inconsistent with regard to VLAN tagging, which causes problems with VLAN groups. – When using Cisco IOS software, a VACL capture port or a SPAN target does not always receive tagged packets even if it is configured for trunking.
Appendix E Troubleshooting When to Disable Anomaly Detection Note CISCO-PROCESS-MIB is available on the sensor, but we do not support it. We know that some elements are not available. While you can use elements from CISCO-PROCESS-MIB, we do not guarantee that they all provide correct information. We fully support the other listed MIBs and their output is correct.
Appendix E Troubleshooting Analysis Engine Not Responding • You must have a valid IPS license to allow global correlation features to function. • Global correlation features only contain external IP addresses, so if you position a sensor in an internal lab, you may never receive global correlation information. • Make sure your sensor supports the global correlation features. • Make sure your IPS version supports the global correlation features.
Appendix E Troubleshooting Troubleshooting External Product Interfaces ----MainApp N-2007_JUN_19_16_45 (Release) 2007-06-19T17:10:20-0500 Running AnalysisEngine N-2007_JUN_19_16_45 (Release) 2007-06-19T17:10:20-0500 Not Running CLI N-2007_JUN_19_16_45 (Release) 2007-06-19T17:10:20-0500 Step 3 Enter show Step 4 Reboot the sensor. Step 5 Enter show Step 6 If the Analysis Engine still reads Not command output. tech-support version and save the output.
Appendix E Troubleshooting Troubleshooting the Appliance • You can configure a maximum of two external product devices. For More Information • For more information on working with OS maps and identifications, refer to Adding, Editing, Deleting, and Moving Configured OS Maps and Adding, Editing, Deleting, and Moving Configured OS Maps. • For the procedure for adding trusted hosts, refer to Adding TLS Trusted Hosts.
Appendix E Troubleshooting Troubleshooting the Appliance The Appliance and Jumbo Packet Frame Size For IPS standalone appliances with 1 G and 10 G fixed or add-on interfaces, the maximum jumbo frame size is 9216 bytes. Note A jumbo frame is an Ethernet packet that is larger than the standard maximum of 1518 bytes (including Layer 2 header and FCS). Hardware Bypass and Link Changes and Drops Note Hardware bypass is available on the 4GE bypass interface card, which is supported on the IPS 4270-20.
Appendix E Troubleshooting Troubleshooting the Appliance • Check any interlock or interconnect indicators that indicate a component is not connected properly. • If problems continue, remove and reinstall each device, checking the connectors and sockets for bent pins or other damage. Analysis Engine is Busy After you reimage a sensor, the Analysis Engine is busy rebuilding Regex tables and does not respond to new configurations.
Appendix E Troubleshooting Troubleshooting the Appliance Cannot Access the Sensor CLI Through Telnet or SSH If you cannot access the sensor CLI through Telnet (if you already have it enabled) or SSH, follow these steps: Step 1 Log in to the sensor CLI through a console, terminal, or module session. Step 2 Make sure that the sensor management interface is enabled. The management interface is the interface in the list with the status line Media Type = TX. If the Link Status is Down, go to Step 3.
Appendix E Troubleshooting Troubleshooting the Appliance At any point you may enter a question mark '?' for help. User ctrl-c to abort configuration dialog at any prompt. Default settings are in square brackets '[]'. Current Configuration: service host network-settings host-ip 192.168.1.2/24,192.168.1.1 host-name sensor telnet-option enabled access-list 0.0.0.0/0 ftp-timeout 300 no login-banner-text exit --MORE-- Step 4 Make sure the management port is connected to an active network connection.
Appendix E Troubleshooting Troubleshooting the Appliance For More Information • For the procedures for changing the IP address, changing the access list, and enabling and disabling Telnet , refer to Configuring Network Settings. • For the various ways to open a CLI session directly on the sensor, see Appendix A, “Logging In to the Sensor.” Correcting a Misconfigured Access List To correct a misconfigured access list, follow these steps: Step 1 Log in to the CLI.
Appendix E Troubleshooting Troubleshooting the Appliance To verify that the sensor in question does not have an IP address conflict with another host on the network, follow these steps: Step 1 Log in to the CLI. Step 2 Determine whether the interface is up. If the output says the command and control interface link status is down, there is a hardware issue or an IP address conflict.
Appendix E Troubleshooting Troubleshooting the Appliance For More Information • To make sure the sensor cabling is correct, refer to the chapter for your sensor in this document. • For the procedure for making sure the IP address is correct, refer to Configuring Network Settings . The SensorApp and Alerting This section helps you troubleshoot issues with the SensorApp and alerting.
Appendix E Troubleshooting Troubleshooting the Appliance 6-0600 Upgrade History: IPS-K9-7.1-3-E4 00:30:07 UTC Wed Nov 16 2011 Recovery Partition Version 1.1 - 7.1(3)E4 Host Certificate Valid from: 16-Nov-2011 to 16-Nov-2013 sensor# Step 3 If the Analysis Engine is not running, look for any errors connected to it.
Appendix E Troubleshooting Troubleshooting the Appliance Total Bytes Received = 0 Missed Packet Percentage = 0 Current Bypass Mode = Auto_off MAC statistics from interface GigabitEthernet0/1 Media Type = backplane Missed Packet Percentage = 0 Inline Mode = Unpaired Pair Status = N/A Link Status = Up Link Speed = Auto_1000 Link Duplex = Auto_Full Total Packets Received = 0 Total Bytes Received = 0 Total Multicast Packets Received = 0 Total Broadcast Packets Received = 0 Total Jumbo Packets Received = 0 To
Appendix E Troubleshooting Troubleshooting the Appliance For More Information • For the procedure for properly installing the sensing interface on your sensor, refer to the chapter on your appliance in this document. • For the procedures for configuring interfaces on your sensor, refer to Configuring Interfaces.
Appendix E Troubleshooting Troubleshooting the Appliance Step 4 Make sure the sensor is seeing packets.
Appendix E Troubleshooting Troubleshooting the Appliance Pair Status = N/A Link Status = Down Link Speed = Auto_1000 Link Duplex = Auto_Full Total Packets Received = 0 Total Bytes Received = 0 Total Multicast Packets Received = 0 Total Broadcast Packets Received = 0 Total Jumbo Packets Received = 0 Total Undersize Packets Received = 0 Total Receive Errors = 0 Total Receive FIFO Overruns = 0 Total Packets Transmitted = 0 Total Bytes Transmitted = 0 Total Multicast Packets Transmitted = 0 Total Broadcast Pa
Appendix E Troubleshooting Troubleshooting the Appliance Total Total Total Total Total Total Total Total Total Total Total Total Jumbo Packets Received = 0 Undersize Packets Received = 0 Receive Errors = 0 Receive FIFO Overruns = 0 Packets Transmitted = 0 Bytes Transmitted = 0 Multicast Packets Transmitted = 0 Broadcast Packets Transmitted = 0 Jumbo Packets Transmitted = 0 Undersize Packets Transmitted = 0 Transmit Errors = 0 Transmit FIFO Overruns = 0 ...
Appendix E Troubleshooting Troubleshooting the Appliance For More Information For more information on IPS system architecture, refer to System Architecture. Blocking This section provides troubleshooting help for blocking and the ARC service. It contains the following topics.
Appendix E Troubleshooting Troubleshooting the Appliance Verifying ARC is Running Note The CLI output is an example of what your configuration may look like. It will not match exactly due to the optional setup choices, sensor model, and IPS 7.1 version you have installed. To verify that the ARC is running, use the show version command. If the MainApp is not running, the ARC cannot run. The ARC is part of the MainApp. To verify that the ARC is running, follow these steps: Step 1 Log in to the CLI.
Appendix E Troubleshooting Troubleshooting the Appliance For More Information For more information on IPS system architecture, refer to System Architecture. Verifying ARC Connections are Active If the State is not Active in the ARC statistics, there is a problem. To verify that the State is Active in the statistics, follow these steps: Step 1 Log in to the CLI. Step 2 Verify that the ARC is connecting. Check the State section of the output to verify that all devices are connecting.
Appendix E Troubleshooting Troubleshooting the Appliance Sensor up-time is 13 days. Using 4395M out of 5839M bytes of available memory (75% usage) system is using 26.2M out of 160.0M bytes of available disk space (16% usage) application-data is using 69.7M out of 171.6M bytes of available disk space (43% usage) boot is using 57.3M out of 70.5M bytes of available disk space (86% usage) application-log is using 494.0M out of 513.
Appendix E Troubleshooting Troubleshooting the Appliance Device Access Issues The ARC may not be able to access the devices it is managing. Make sure the you have the correct IP address and username and password for the managed devices and the correct interface and direction configured. Note SSH devices must support SSH 1.5. The sensor does not support SSH 2.0. To troubleshoot device access issues, follow these steps: Step 1 Log in to the CLI. Step 2 Verify the IP address for the managed devices.
Appendix E Troubleshooting Troubleshooting the Appliance profile-name: r7200 block-interfaces (min: 0, max: 100, current: 1) ----------------------------------------------interface-name: fa0/0 direction: in ----------------------------------------------pre-acl-name: post-acl-name: ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------firewall-devices (m
Appendix E Troubleshooting Troubleshooting the Appliance Step 5 Telnet to the router and verify that a deny entry for the blocked address exists in the router ACL. Refer to the router documentation for the procedure. Step 6 Remove the manual block by repeating Steps 1 through 4 except in Step 2 place no in front of the command. sensor(config-net-gen)# no block-hosts 10.16.0.
Appendix E Troubleshooting Troubleshooting the Appliance default-signatures-only ----------------------------------------------specify-service-ports ----------------------------------------------no ------------------------------------------------------------------------------------------------------------------------------------------specify-tcp-max-mss ----------------------------------------------no --------------------------------------------------------------------------------------------------------
Appendix E Troubleshooting Troubleshooting the Appliance Step 4 Initiate a manual block to a bogus host IP address to make sure the master blocking sensor is initiating blocks. sensor# configure terminal sensor(config)# service network-access sensor(config-net)# general sensor(config-net-gen)# block-hosts 10.16.0.0 Step 5 Exit network access general submode.
Appendix E Troubleshooting Troubleshooting the Appliance Logging TAC may suggest that you turn on debug logging for troubleshooting purposes. Logger controls what log messages are generated by each application by controlling the logging severity for different logging zones. By default, debug logging is not turned on. If you enable individual zone control, each zone uses the level of logging that it is configured for. Otherwise, the same logging level is used for all zones.
Appendix E Troubleshooting Troubleshooting the Appliance Step 9 Turn on individual zone control. sensor(config-log-mas)# individual-zone-control true sensor(config-log-mas)# show settings master-control ----------------------------------------------enable-debug: true default: false individual-zone-control: true default: false ----------------------------------------------sensor(config-log-mas)# Step 10 Exit master zone control. sensor(config-log-mas)# exit Step 11 View the zone names.
Appendix E Troubleshooting Troubleshooting the Appliance zone-name: tls severity: warning ----------------------------------------------sensor(config-log)# Step 12 Change the severity level (debug, timing, warning, or error) for a particular zone.
Appendix E Troubleshooting Troubleshooting the Appliance sensor(config-log)# show settings master-control ----------------------------------------------enable-debug: true default: false individual-zone-control: true default: false ----------------------------------------------zone-control (min: 0, max: 999999999, current: 14) ---------------------------------------------- zone-name: AuthenticationApp severity: warning zone-name: Cid severity: debug
Appendix E Troubleshooting Troubleshooting the Appliance For More Information For a list of what each zone name refers to, see Zone Names, page E-48.
Appendix E Troubleshooting Troubleshooting the Appliance Directing cidLog Messages to SysLog It might be useful to direct cidLog messages to syslog. To direct cidLog messages to syslog, follow these steps: Step 1 Go to the idsRoot/etc/log.conf file. Step 2 Make the following changes: a. Set [logApp] enabled=false Comment out the enabled=true because enabled=false is the default. b.
Appendix E Troubleshooting Troubleshooting the Appliance TCP Reset Not Occurring for a Signature If you do not have the event action set to reset, the TCP reset does not occur for a specific signature. Note TCP Resets are not supported over MPLS links or the following tunnels: GRE, IPv4 in IPv4, IPv6 in IPv4, or IPv4 in IPv6. To troubleshoot a reset not occurring for a specific signature, follow these steps: Step 1 Log in to the CLI. Step 2 Make sure the event action is set to TCP reset.
Appendix E Troubleshooting Troubleshooting the Appliance appInstanceId: 1004 signature: sigId=20000 sigName=STRING.TCP subSigId=0 version=Unknown addr: locality=OUT 172.16.171.19 port: 32771 victim: addr: locality=OUT 172.16.171.13 port: 23 actions: tcpResetSent: true Step 6 Make sure the switch is allowing incoming TCP reset packet from the sensor. Refer to your switch documentation for more information. Step 7 Make sure the resets are being sent. root# ./tcpdump -i eth0 src host 172.16.171.
Appendix E Troubleshooting Troubleshooting the Appliance For More Information • For more information on running the setup command, see Appendix B, “Initializing the Sensor.” • For more information on reimaging your sensor, see Chapter D, “Upgrading, Downgrading, and Installing System Images.” Which Updates to Apply and Their Prerequisites You must have the correct service pack and minor and major version of the software.
Appendix E Troubleshooting Troubleshooting the Appliance to download the chosen package from a Cisco file server. The IP address may change for the Cisco file server, but you can find it in the lastDownloadAttempt section in the output of the show statistics host command. Try the manual upgrade command before attempting the automatic update. If it works with the upgrade command and does not work with the automatic update, try the following: • Determine which IPS software version your sensor has.
Appendix E Troubleshooting Troubleshooting the IDM Step 8 Upgrade the sensor. sensor(config)# upgrade scp://service@sensor_ip_address/upgrade/ips_package_file_name Enter password: ***** Re-enter password: ***** For More Information For the procedure for obtaining Cisco IPS software, see Obtaining Cisco IPS Software, page C-1. Troubleshooting the IDM Note These procedures also apply to the IPS section of ASDM.
Appendix E Troubleshooting Troubleshooting the IDM Step 3 Step 4 d. Click the Cache tab. e. Click Clear. If you have Java Plug-in 1.4.x installed: a. Click Start > Settings > Control Panel > Java Plug-in 1.4.x. b. Click the Advanced tab. c. Under Java Runtime Environment, select JRE 1.3.x from the drop-down menu. d. Click the Cache tab. e. Click the Browser tab. f. Deselect all browser check boxes. g. Click Clear Cache. Delete the temp files and clear the history in the browser.
Appendix E Troubleshooting Troubleshooting the IME telnet-option enabled access-list 0.0.0.0/0 ftp-timeout 300 no login-banner-text exit time-zone-settings offset 0 standard-time-zone-name UTC exit summertime-option disabled ntp-option disabled exit service web-server port 443 exit Step 2 If network devices, such as routers, switches, or firewalls, are between the sensor and the workstation, make sure these devices are configured to allow the workstation to access the sensor web server port.
Appendix E Troubleshooting Troubleshooting the ASA 5500 AIP SSM Time Synchronization on the IME and the Sensor Symptom The IME displays No Data Available on the Events dashboard. A historical query does not return any events; however, events are coming in to the IME and they appear in the real-time event viewer. Possible Cause The time is not synchronized between the sensor and the IME local server. The IME dashboards use a time relative to the IME local time.
Appendix E Troubleshooting Troubleshooting the ASA 5500 AIP SSM • The ASA 5500 AIP SSM and Jumbo Packets, page E-62 • TCP Reset Differences Between IPS Appliances and ASA IPS Modules, page E-62 Health and Status Information To see the general health of the ASA 5500 AIP SSM, use the show module 1 details command: asa# show module 1 details Getting details from the Service Module, please wait... ASA 5500 Series Security Services Module-20 Model: ASA-SSM-20 Hardware version: 0.
Appendix E Troubleshooting Troubleshooting the ASA 5500 AIP SSM 1 Up asa(config)# If you have problems with reimaging the ASA 5500 AIP SSM, use the debug module-boot command to see the output as the module boots. Make sure you have the correct IP address for the TFTP server and you have the correct file on the TFTP server. Then use the hw-module module 1 recover command again to reimage the module: asa(config)# hw-module module 1 recover configure Image URL [tftp://0.0.0.0/]: tftp://192.0.2.
Appendix E Troubleshooting Troubleshooting the ASA 5500 AIP SSM Failover Scenarios The following failover scenarios apply to the ASA in the event of configuration changes, signature/signature engine updates, service packs, and SensorApp crashes on the ASA 5500 AIP SSM.
Appendix E Troubleshooting Troubleshooting the ASA 5500 AIP SSM failover failover lan unit secondary failover lan interface folink GigabitEthernet0/7 failover interface ip folink 172.27.48.1 255.255.255.0 standby 172.27.48.2 The ASA 5500 AIP SSM and the Normalizer Engine The majority of the features in the Normalizer engine are not used on the ASA 5500 AIP SSM, because the ASA itself handles the normalization.
Appendix E Troubleshooting Troubleshooting the ASA 5500 AIP SSM The ASA 5500 AIP SSM and the Data Plane Symptom The ASA 5500 AIP SSM data plane is kept in the Up state while applying signature updates. You can check the ASA 5500 AIP SSM data plane status by using the show module command during signature updates. Possible Cause Bypass mode is set to off. The issue is seen when updating signatures, and when you use either CSM or IDM to apply signature updates.
Appendix E Troubleshooting Troubleshooting the ASA 5500-X IPS SSP Troubleshooting the ASA 5500-X IPS SSP Note Before troubleshooting the ASA 5500-X IPS SSP, check the Caveats section of the Readme for the software version installed on your sensor to see if you are dealing with a known issue.
Appendix E Troubleshooting Troubleshooting the ASA 5500-X IPS SSP Two ASA 5500-Xs in Fail-Close Mode • If the ASAs are configured in fail-close mode, and if the ASA 5500-X IPS SSP on the active ASA experiences a configuration change or a signature/signature engine update, traffic is stopped from passing through the active ASA. No failover is triggered.
Appendix E Troubleshooting Troubleshooting the ASA 5500-X IPS SSP The output shows that the ASA 5500-X IPS SSP is up. If the status reads Down, you can reset it using the sw-module module 1 reset command. If you have problems with reimaging the ASA 5500-X IPS SSP, use the debug module-boot command to see the output as it boots. Make sure you have the correct IP address for the TFTP server and you have the correct file on the TFTP server.
Appendix E Troubleshooting Troubleshooting the ASA 5500-X IPS SSP Mod-ips 266> Mod-ips 267> Mod-ips 268> Mod-ips 269> Mod-ips 270> Mod-ips 271> Mod-ips 272> Mod-ips 273> Mod-ips 274> Mod-ips 275> Mod-ips 276> Mod-ips 277> Mod-ips 278> Mod-ips 279> Mod-ips 280> Mod-ips 281> Mod-ips 282> Mod-ips 283> Mod-ips 284> Mod-ips 285> Mod-ips 286> Mod-ips 287> Mod-ips 288> Mod-ips 289> Mod-ips 290> Mod-ips 291> Mod-ips 292> Mod-ips 293> Mod-ips 294> Mod-ips 295> Mod-ips 296> Mod-ips 297> Mod-ips 298> Mod-ips 299> M
Appendix E Troubleshooting Troubleshooting the ASA 5500-X IPS SSP Mod-ips 328> hugetlb_lowmem_setup: Allocated 2097152 huge pages (size=0x200000) from lowmem are Mod-ips 329> a at 0xffff88002ee00000 phys addr 0x000000002ee00000 Mod-ips 330> Initializing CPU#0 Mod-ips 331> PID hash table entries: 4096 (order: 12, 32768 bytes) Mod-ips 332> Fast TSC calibration using PIT Mod-ips 333> Detected 2792.965 MHz processor.
Appendix E Troubleshooting Troubleshooting the ASA 5500-X IPS SSP Mod-ips 384> CPU: L2 cache: 4096K Mod-ips 385> CPU 4/0x4 -> Node 0 Mod-ips 386> CPU4: Intel QEMU Virtual CPU version 0.12.5 stepping 03 Mod-ips 387> Booting processor 5 APIC 0x5 ip 0x6000 Mod-ips 388> Initializing CPU#5 Mod-ips 389> Calibrating delay using timer specific routine.. 5585.
Appendix E Troubleshooting Troubleshooting the ASA 5500-X IPS SSP Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-ips Mod-
Appendix E Troubleshooting Troubleshooting the ASA 5500-X IPS SSP Mod-ips 510> serial8250: ttyS1 at I/O 0x2f8 (irq = 3) is a 16550A Mod-ips 511> 00:06: ttyS0 at I/O 0x3f8 (irq = 4) is a 16550A Mod-ips 512> 00:07: ttyS1 at I/O 0x2f8 (irq = 3) is a 16550A Mod-ips 513> brd: module loaded Mod-ips 514> loop: module loaded Mod-ips 515> lpc: version 0.1 (Nov 10 2011) Mod-ips 516> tun: Universal TUN/TAP device driver, 1.6 Mod-ips 517> tun: (C) 1999-2004 Max Krasnyansky
Appendix E Troubleshooting Troubleshooting the ASA 5500-X IPS SSP Mod-ips 571> Mod-ips 572> Mod-ips 573> Mod-ips 574> Mod-ips 575> Mod-ips 576> Mod-ips 577> Mod-ips 578> Mod-ips 579> Mod-ips 580> Mod-ips 581> Mod-ips 582> directory Mod-ips 583> Mod-ips 584> Mod-ips 585> Mod-ips 586> Mod-ips 587> Mod-ips 588> Mod-ips 589> Mod-ips 590> Mod-ips 591> Mod-ips 592> Mod-ips 593> Mod-ips 594> Mod-ips 595> Mod-ips 596> IRQ Mod-ips 597> Mod-ips 598> Mod-ips 599> Mod-ips 600> Mod-ips 601> Mod-ips 602> Mod-ips 603> M
Appendix E Troubleshooting Troubleshooting the ASA 5500-X IPS SSP Mod-ips 633> Starting CIDS: Mod-ips 634> starting pid 1718, tty '/dev/ttyS0': '/sbin/getty -L ttyS0 9600 vt100' The ASA 5500-X IPS SSP and the Normalizer Engine The majority of the features in the Normalizer engine are not used on the ASA 5500-X IPS SSP, because the ASA itself handles the normalization.
Appendix E Troubleshooting Troubleshooting the ASA 5500-X IPS SSP The ASA 5500-X IPS SSP and Memory Usage For the ASA 5500-X IPS SSP, the memory usage is 93%. The default health thresholds for the sensor are 80% for yellow and 91% for red, so the sensor health will be shown as red on these platforms even for normal operating conditions.
Appendix E Troubleshooting Troubleshooting the ASA 5585-X IPS SSP TCP Reset Differences Between IPS Appliances and ASA IPS Modules The IPS appliance sends TCP reset packets to both the attacker and victim when Reset TCP Connection is selected.
Appendix E Troubleshooting Troubleshooting the ASA 5585-X IPS SSP • If the ASA is configured in fail-open mode for the ASA 5585-X IPS SSP, and the ASA 5585-X IPS SSP experiences a SensorApp crash or a service pack upgrade, traffic is passed through the ASA without being inspected.
Appendix E Troubleshooting Troubleshooting the ASA 5585-X IPS SSP Traffic Flow Stopped on IPS Switchports Problem Traffic on any port located on the ASA 5585-X IPS SSP (1/x) no longer passes through the adaptive security appliance when the ASA 5585-X IPS SSP is reset or shut down. This affects all traffic through these ports regardless of whether or not the traffic would have been monitored by the IPS. The link on the ports will link down when the ASA 5585-X IPS SSP is reset or shut down.
Appendix E Troubleshooting Troubleshooting the ASA 5585-X IPS SSP App. Status: Not Applicable App. Status Desc: Not Applicable App. version: 7.1(1)E4 Data plane Status: Not Applicable Status: Shutting Down asa# show module 1 details Getting details from the Service Module, please wait... Unable to read details from slot 1 ASA 5585-X IPS Security Services Processor-20 with 8GE Model: ASA5585-SSP-IPS20 Hardware version: 1.0 Serial Number: ABC1234DEFG Firmware version: 2.0(7)0 Software version: 7.
Appendix E Troubleshooting Troubleshooting the ASA 5585-X IPS SSP Firmware version: Software version: MAC Address Range: App. name: App. Status: App. Status Desc: App. version: Data plane Status: Status: Mgmt IP addr: Mgmt Network mask: Mgmt Gateway: Mgmt Access List: Mgmt web ports: Mgmt TLS enabled: asa# 2.0(7)0 7.1(1)E4 5475.d029.7f9c to 5475.d029.7fa7 IPS Up Normal Operation 7.1(1)E4 Up Up 192.0.2.3 255.255.255.0 192.0.2.254 0.0.0.
Appendix E Troubleshooting Troubleshooting the ASA 5585-X IPS SSP Slot-1 Slot-1 Slot-1 Slot-1 Slot-1 Slot-1 Slot-1 Slot-1 Slot-1 Slot-1 167> SERVER=192.0.2.15 168> GATEWAY=192.0.2.254 169> PORT=GigabitEthernet0/0 170> VLAN=untagged 171> IMAGE=IPS-SSP_10-K9-sys-1.1-a-7.1-0.1.img 172> CONFIG= 173> LINKTIMEOUT=20 174> PKTTIMEOUT=4 175> RETRY=20 176> tftp IPS-SSP_10-K9-sys-1.1-a-7.1-0.1.img@192.0.2.15 via 192.0.2.
Appendix E Troubleshooting Gathering Information For More Information For detailed information about the Normalizer engine, see Normalizer Engine. The ASA 5585-X IPS SSP and Jumbo Packet Frame Size Refer to the following URL for information about ASA 5585-X IPS SSP jumbo packet frame size: http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/interface_start.
Appendix E Troubleshooting Gathering Information This section contains the following topics: • Health and Network Security Information, page E-81 • Tech Support Information, page E-82 • Version Information, page E-85 • Statistics Information, page E-88 • Interfaces Information, page E-100 • Events Information, page E-101 • cidDump Script, page E-105 • Uploading and Accessing Files on the Cisco FTP Site, page E-106 Health and Network Security Information Caution Note When the sensor is fi
Appendix E Troubleshooting Gathering Information Tech Support Information The show tech-support command is useful for capturing all sensor status and configuration information.
Appendix E Troubleshooting Gathering Information Step 3 To send the output (in HTML format) to a file: a. Enter the following command, followed by a valid destination. The password: prompt appears. sensor# show tech-support destination-url destination_url Example To send the tech support output to the file /absolute/reports/sensor1Report.html : sensor# show tech support dest ftp://csidsuser@10.2.1.2//absolute/reports/sensor1Report.html b. Enter the password for this user account.
Appendix E Troubleshooting Gathering Information 6-0600 CLI 6-0600 Running S-2011_NOV_16_00_20_7_1_3_46 (Release) 2011-11-16T00:23:0 Upgrade History: IPS-K9-7.1-3-E4 00:30:07 UTC Wed Nov 16 2011 Recovery Partition Version 1.1 - 7.
Appendix E Troubleshooting Gathering Information Total Transmit Errors = 0 Total Transmit FIFO Overruns = 0 MAC statistics from interface Management0/1 Interface function = Reserved for future use Output from show statistics authentication General totalAuthenticationAttempts = 237 failedAuthenticationAttempts = 14 Output from show statistics analysis-engine Analysis Engine Statistics Number of seconds since service started = 1150851 Processing Load Percentage Thread 5 sec 1 min 5 min 0 1 1 1 1 1 1 1 2 1 1
Appendix E Troubleshooting Gathering Information Understanding the show version Command The show version command shows the basic sensor information and can indicate where a failure is occurring.
Appendix E Troubleshooting Gathering Information Upgrade History: IPS-K9-7.1-3-E4 00:30:07 UTC Wed Nov 16 2011 Recovery Partition Version 1.1 - 7.1(3)E4 Host Certificate Valid from: 16-Nov-2011 to 16-Nov-2013 sensor# Note Step 3 If the —-MORE-— prompt is displayed, press the spacebar to see more information or Ctrl-C to cancel the output and get back to the CLI prompt. View configuration information. Note You can use the more current-config or show configuration commands.
Appendix E Troubleshooting Gathering Information ! -----------------------------service trusted-certificates exit ! -----------------------------service web-server exit ! -----------------------------service anomaly-detection ad0 exit ! -----------------------------service external-product-interface exit ! -----------------------------service health-monitor exit ! -----------------------------service global-correlation exit ! -----------------------------service aaa exit ! -----------------------------se
Appendix E Troubleshooting Gathering Information • Transaction Source • Virtual Sensor • Web Server Displaying Statistics Use the show statistics [analysis-engine | anomaly-detection | authentication | denied-attackers | event-server | event-store | external-product-interface | global-correlation | host | logger | network-access | notification | os-identification | sdee-server | transaction-server | virtual-sensor | web-server] [clear] command to display statistics for each sensor application.
Appendix E Troubleshooting Gathering Information The Signature Database Statistics.
Appendix E Troubleshooting Gathering Information SimulatedDenyFilterRuleMatch = 0 TcpDeniesDueToGlobalCorrelation = 0 TcpDeniesDueToOverride = 0 TcpDeniesDueToOverlap = 0 TcpDeniesDueToOther = 0 SimulatedTcpDeniesDueToGlobalCorrelation = 0 SimulatedTcpDeniesDueToOverride = 0 SimulatedTcpDeniesDueToOverlap = 0 SimulatedTcpDeniesDueToOther = 0 LateStageDenyDueToGlobalCorrelation = 0 LateStageDenyDueToOverride = 0 LateStageDenyDueToOverlap = 0 LateStageDenyDueToOther = 0 SimulatedLateStageDenyDueToGlobalCorr
Appendix E Troubleshooting Gathering Information No attack Detection - ON Learning - ON Next KB rotation at 10:00:00 UTC Sat Jan 18 2008 Internal Zone TCP Protocol UDP Protocol Other Protocol External Zone TCP Protocol UDP Protocol Other Protocol Illegal Zone TCP Protocol UDP Protocol Other Protocol sensor# Step 4 Display the statistics for authentication.
Appendix E Troubleshooting Gathering Information The number of times the event store circular buffer has wrapped = 0 Number of events of each type currently stored Status events = 4257 Shun request events = 0 Error events, warning = 669 Error events, error = 8 Error events, fatal = 0 Alert events, informational = 0 Alert events, low = 0 Alert events, medium = 0 Alert events, high = 0 Alert events, threat rating 0-20 = 0 Alert events, threat rating 21-40 = 0 Alert events, threat rating 41-60 = 0 Alert even
Appendix E Troubleshooting Gathering Information Command Control Port Device = Management0/0 Network Statistics = ma0_0 Link encap:Ethernet HWaddr 00:04:23:D5:A1:8D = inet addr:10.89.130.98 Bcast:10.89.131.255 Mask:255.255.254.0 = UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 = RX packets:1688325 errors:0 dropped:0 overruns:0 frame:0 = TX packets:38546 errors:0 dropped:0 overruns:0 carrier:0 = collisions:0 txqueuelen:1000 = RX bytes:133194316 (127.0 MiB) TX bytes:5515034 (5.
Appendix E Troubleshooting Gathering Information BlockMaxEntries = 11 MaxDeviceInterfaces = 250 NetDevice Type = PIX IP = 10.89.150.171 NATAddr = 0.0.0.0 Communications = ssh-3des NetDevice Type = PIX IP = 192.0.2.4 NATAddr = 0.0.0.0 Communications = ssh-3des NetDevice Type = PIX IP = 192.0.2.5 NATAddr = 0.0.0.0 Communications = telnet NetDevice Type = Cisco IP = 192.0.2.6 NATAddr = 0.0.0.
Appendix E Troubleshooting Gathering Information AclSupport = uses Named ACLs Version = 12.2 State = Active NetDevice IP = 192.0.2.10 AclSupport = Uses VACLs Version = 8.4 State = Active BlockedAddr Host IP = 203.0.113.1 Vlan = ActualIp = BlockMinutes = Host IP = 203.0.113.2 Vlan = ActualIp = BlockMinutes = Host IP = 203.0.113.4 Vlan = ActualIp = BlockMinutes = 60 MinutesRemaining = 24 Network IP = 203.0.113.9 Mask = 255.255.0.
Appendix E Troubleshooting Gathering Information Step 15 Display the statistics for the transaction server. sensor# show statistics transaction-server General totalControlTransactions = 35 failedControlTransactions = 0 sensor# Step 16 Display the statistics for a virtual sensor.
Appendix E Troubleshooting Gathering Information Number of exec Clear commands during uptime = 0 Denied Attackers and hit count for each. Denied Attackers with percent denied and hit count for each. The Signature Database Statistics.
Appendix E Troubleshooting Gathering Information TCP Packets currently queued for reassembly = 0 Cumulative Statistics for the TCP Stream Reassembly Unit since reset TCP streams that have been tracked since last reset = 0 TCP streams that had a gap in the sequence jumped = 0 TCP streams that was abandoned due to a gap in the sequence = 0 TCP packets that arrived out of sequence order for their stream = 0 TCP packets that arrived out of state order for their stream = 0 The rate of TCP connections tracked p
Appendix E Troubleshooting Gathering Information Fatal Severity = 0 Error Severity = 14 Warning Severity = 1 Timing Severity = 0 Debug Severity = 0 Unknown Severity = 28 TOTAL = 43 Step 19 Verify that the statistics have been cleared. The statistics now all begin from 0.
Appendix E Troubleshooting Gathering Information Interfaces Command Output The following example shows the output from the show interfaces command: sensor# show interfaces Interface Statistics Total Packets Received = 0 Total Bytes Received = 0 Missed Packet Percentage = 0 Current Bypass Mode = Auto_off MAC statistics from interface GigabitEthernet0/1 Media Type = backplane Missed Packet Percentage = 0 Inline Mode = Unpaired Pair Status = N/A Link Status = Up Link Speed = Auto_1000 Link Duplex = Auto_Full
Appendix E Troubleshooting Gathering Information • Displaying Events, page E-102 • Clearing Events, page E-105 Sensor Events There are five types of events: • evAlert—Intrusion detection alerts • evError—Application errors • evStatus—Status changes, such as an IP log being created • evLogTransaction—Record of control transactions processed by each sensor application • evShunRqst—Block requests Events remain in the Event Store until they are overwritten by newer events.
Appendix E Troubleshooting Gathering Information The following options apply: • alert—Displays alerts. Provides notification of some suspicious activity that may indicate an attack is in process or has been attempted. Alert events are generated by the Analysis Engine whenever a signature is triggered by network activity. If no level is selected (informational, low, medium, or high), all alert events are displayed. • include-traits—Displays alerts that have the specified traits.
Appendix E Troubleshooting Gathering Information Step 3 Display the block requests beginning at 10:00 a.m. on February 9, 2011. sensor# show events NAC 10:00:00 Feb 9 2011 evShunRqst: eventId=1106837332219222281 vendor=Cisco originator: deviceName: Sensor1 appName: NetworkAccessControllerApp appInstance: 654 time: 2011/02/09 10:33:31 2011/08/09 13:13:31 shunInfo: host: connectionShun=false srcAddr: 11.0.0.
Appendix E Troubleshooting Gathering Information originator: hostId: sensor appName: mainApp appInstanceId: 2215 time: 2011/01/08 02:41:00 2011/01/08 02:41:00 UTC controlTransaction: command=getVersion successful=true description: Control transaction response. requestor: user: cids application: hostId: 64.101.182.
Appendix E Troubleshooting Gathering Information Step 3 Enter the following command. /usr/cids/idsRoot/bin/cidDump Step 4 Enter the following command to compress the resulting /usr/cids/idsRoot/log/cidDump.html file. gzip /usr/cids/idsRoot/log/cidDump.html Step 5 Send the resulting HTML file to TAC or the IPS developers in case of a problem. For More Information For the procedure for putting a file on the Cisco FTP site, see Uploading and Accessing Files on the Cisco FTP Site, page E-106.
A P P E N D I X F Cable Pinouts Contents This appendix describes pinout information for 10/100/1000BaseT, console, and RJ 45 to DB 9 ports, and the MGMT 10/100 Ethernet port. It contains the following topics: • 10/100BaseT and 10/100/1000BaseT Connectors, page F-1 • Console Port (RJ-45), page F-2 • RJ-45 to DB-9 or DB-25, page F-3 10/100BaseT and 10/100/1000BaseT Connectors The ASA 5585-Xappliance supports 10/100/1000BaseT ports.
Appendix F Cable Pinouts Console Port (RJ-45) Figure F-2 shows the 10/100/1000BaseT (RJ-45) port pinouts. 10/100/1000 Port Pinouts Pin Label 1 TP0+ 2 TP0- 3 TP1+ 4 TP2+ 5 TP2- 6 TP1- 7 TP3+ 8 TP3- 1 2 3 4 5 6 7 8 148410 Figure F-2 Console Port (RJ-45) Figure F-3 shows the RJ 45 cable.
Appendix F Cable Pinouts RJ-45 to DB-9 or DB-25 Examine the sequence of colored wires to determine the type of RJ-45 cable, as follows: • Straight-through—The colored wires are in the same sequence at both ends of the cable. • Cross-over—The first (far left) colored wire at one end of the cable is the third colored wire at the other end of the cable. • Roll-over—The colored wires are in the opposite sequence at either end of the cable. Table F-1 lists the roll-over (console) cable pinouts for RJ-45.
Appendix F Cable Pinouts RJ-45 to DB-9 or DB-25 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.
G L O S S A RY Revised: July 16, 2012 Numerals 3DES Triple Data Encryption Standard. A stronger version of DES, which is the default encryption method for SSH version 1.5. Used when establishing an SSH session with the sensor. It can be used when the sensor is managing a device. 802.x A set of IEEE standards for the definition of LAN protocols. A AAA authentication, authorization, and accounting. Pronounced “triple a.” The primary and recommended method for access control in Cisco devices.
Glossary ASA 5500 AIP SSM Advanced Inspection and Prevention Security Services Module. The IPS plug-in module in the Cisco ASA 5500 series adaptive security appliance. The ASA 5500 AIP SSM is an IPS services module that monitors and performs real-time analysis of network traffic by looking for anomalies and misuse based on an extensive, embedded signature library.
Glossary architecture The overall structure of a computer or communication system. The architecture influences the capabilities and limitations of the system. ARP Address Resolution Protocol. Internet protocol used to map an IP address to a MAC address. Defined in RFC 826. ASDM Adaptive Security Device Manager. A web-based application that lets you configure and manage your adaptive security device. ASN.1 Abstract Syntax Notation 1. Standard for data presentation.
Glossary B backplane The physical connection between an interface processor or card and the data buses and the power distribution buses inside a chassis. base version A software release that must be installed before a follow-up release, such as a service pack or signature update, can be installed. Major and minor updates are base version releases. benign trigger A situation in which a signature is fired correctly, but the source of the traffic is nonmalicious. BIOS Basic Input/Output System.
Glossary certificate Digital representation of user or device attributes, including a public key, that is signed with an authoritative private key. cidDump A script that captures a large amount of information including the IPS processes list, log files, OS information, directory listings, package information, and configuration files. CIDEE Cisco Intrusion Detection Event Exchange. Specifies the extensions to SDEE that are used by Cisco IPS systems.
Glossary cookie A piece of information sent by a web server to a web browser that the browser is expected to save and send back to the web server whenever the browser makes additional requests of the web server. CSA MC Cisco Security Agent Management Center. CSA MC receives host posture information from the CSA agents it manages. It also maintains a watch list of IP addresses that it has determined should be quarantined from the network.
Glossary DES Data Encryption Standard. A strong encryption method where the strength lies in a 56-bit key rather than an algorithm. destination address Address of a network device that is receiving data. DIMM Dual In-line Memory Modules. DMZ demilitarized zone. A separate network located in the neutral zone between a private (inside) network and a public (outside) network. DNS Domain Name System. An Internet-wide hostname to IP address mapping.
Glossary F fail closed Blocks traffic on the device after a hardware failure. fail open Lets traffic pass through the device after a hardware failure. false negative A signature is not fired when offending traffic is detected. false positive Normal traffic or a benign action causes a signature to fire. Fast Ethernet Any of a number of 100-Mbps Ethernet specifications.
Glossary FQDN Fully Qualified Domain Name.A domain name that specifies its exact location in the tree hierarchy of the DNS. It specifies all domain levels, including the top-level domain, relative to the root domain. A fully qualified domain name is distinguished by this absoluteness in the name space. FWSM Firewall Security Module. A module that can be installed in a Catalyst 6500 series switch. It uses the shun command to block. You can configure the FWSM in either single mode or multi-mode.
Glossary hardware bypass A specialized interface card that pairs physical interfaces so that when a software error is detected, a bypass mechanism is engaged that directly connects the physical interfaces and allows traffic to flow through the pair. Hardware bypass passes traffic at the network interface, does not pass it to the IPS system. host block ARC blocks all traffic from a given IP address. HTTP Hypertext Transfer Protocol.
Glossary InterfaceApp A component of the IPS. Handles bypass and physical settings and defines paired interfaces. Physical settings are speed, duplex, and administrative state. intrusion detection system IDS. A security service that monitors and analyzes system events to find and provide real-time or near real-time warning of attempts to access system resources in an unauthorized manner. IP address 32-bit address assigned to hosts using TCP/IP.
Glossary KB Knowledge Base. The sets of thresholds learned by Anomaly Detection and used for worm virus detection. Knowledge Base See KB. L LACP Link Aggregation Control Protocol. LACP aids in the automatic creation of EtherChannel links by exchanging LACP packets between LAN ports. This protocol is defined in IEEE 802.3ad. LAN Local Area Network. Refers to the Layer 2 network domain local to a given host. Packets exchanged between two hosts on the same LAN do not require Layer 3 routing.
Glossary MD5 Message Digest 5. A one-way hashing algorithm that produces a 128-bit hash. Both MD5 and Secure Hash Algorithm (SHA) are variations on MD4 and strengthen the security of the MD4 hashing algorithm. Cisco uses hashes for authentication within the IPSec framework. Also used for message authentication in SNMP v.2. MD5 verifies the integrity of the communication, authenticates the origin, and checks for timeliness.
Glossary NBD Next Business Day. The arrival of replacement hardware according to Cisco service contracts. Neighborhood Discovery Protocol for IPv6. IPv6 nodes on the same link use Neighbor Discovery to discover each other’s presence, to determine each other’s link-layer addresses, to find routers, and to maintain reachability information about the paths to active neighbors. Network Access ID See NAS-ID. network device A device that controls IP traffic on a network and can block an attacking host.
Glossary O OIR online insertion and removal. Feature that permits you to add, replace, or remove cards without interrupting the system power, entering console commands, or causing other software or interfaces to shutdown. OPS Outbreak Prevention Service. P P2P Peer-to-Peer. P2P networks use nodes that can simultaneously function as both client and server for the purpose of file sharing.
Glossary PER packed encoding rules. Instead of using a generic style of encoding that encodes all types in a uniform way, PER specializes the encoding based on the date type to generate much more compact representations. PFC Policy Feature Card. An optional card on a Catalyst 6000 supervisor engine that supports VACL packet filtering. PID Product Identifier. The orderable product identifier that is one of the three parts of the UDI. The UDI is part of the PEP policy. ping packet internet groper.
Glossary RAM random-access memory. Volatile memory that can be read and written by a microprocessor. RAS Registration, Admission, and Status Protocol. Protocol that is used between endpoints and the gatekeeper to perform management functions. RAS signalling function performs registration, admissions, bandwidth changes, status, and disengage procedures between the VoIP gateway and the gatekeeper. RBCP Router Blade Control Protocol.
Glossary RTP Real-Time Transport Protocol. Commonly used with IP networks. RTP is designed to provide end-to-end network transport functions for applications transmitting real-time data, such as audio, video, or simulation data, over multicast or unicast network services. RTP provides such services as payload type identification, sequence numbering, timestamping, and delivery monitoring to real-time applications. RTT round-trip time.
Glossary session command Command used on routers and switches to provide either Telnet or console access to a module in the router or switch. SFP Small Form-factor Pluggable. Often refers to a fiber optic transceiver that adapts optical cabling to fiber interfaces. See GBIC for more information. shared secret A piece of data known only to the parties involved in a secure communication. The shared secret can be a password, a passphrase, a big number, or an array of randomly chosen bytes.
Glossary SN Serial Number. Part of the UDI. The SN is the serial number of your Cisco product. SNAP Subnetwork Access Protocol. Internet protocol that operates between a network entity in the subnetwork and a network entity in the end system. SNAP specifies a standard method of encapsulating IP datagrams and ARP messages on IEEE networks.
Glossary subsignature A more granular representation of a general signature. It typically further defines a broad scope signature. surface mounting Refers to attaching rubber feet to the bottom of a sensor when it is installed on a flat surface. The rubber feet allow proper airflow around the sensor and they also absorb vibration so that the hard-disk drive is less impacted. switch Network device that filters, forwards, and floods frames based on the destination address of each frame.
Glossary TFTP Trivial File Transfer Protocol. Simplified version of FTP that lets files be transferred from one computer to another over a network, usually without the use of client authentication (for example, username and password). threat rating TR. A threat rating is a value between 0 and 100 that represents a numerical decrease of the risk rating of an attack based on the response action that depicts the threat of an alert on the monitored network.
Glossary U UDI Unique Device Identifier. Provides a unique identity for every Cisco product. The UDI is composed of the PID, VID, and SN. The UDI is stored in the Cisco IPS ID PROM. UDLD UniDirectional Link Detection. Cisco proprietary protocol that allows devices connected through fiber-optic or copper Ethernet cables connected to LAN ports to monitor the physical configuration of the cables and detect when a unidirectional link exists.
Glossary virus Hidden, self-replicating section of computer software, usually malicious logic, that propagates by infecting—that is, inserting a copy of itself into and becoming part of—another program. A virus cannot run by itself; it requires that its host program be run to make the virus active. virus update A signature update specifically addressing viruses. VLAN Virtual Local Area Network.
Glossary Wireshark Wireshark is a free network protocol analyzer for UNIX and Windows. It lets you examine data from a live network or from a capture file on disk. You can interactively browse the capture data, viewing summary and detail information for each packet. Wireshark has several powerful features, including a rich display filter language and the ability to view the reconstructed stream of a TCP session. For more information, see http://www.wireshark.org.
Glossary Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.
I N D EX alternate TCP reset interface Numerics configuration restrictions 10BaseT cable pinouts appliance F-1 ASA 5585-X F-1 designating 1-12 restrictions 1-5 Analysis Engine 2SX card error messages described 4-3, 5-4 illustration errors 4-4, 5-5 E-55 sensing interfaces configuration restrictions 4-5, 5-6 verify it is running 4-3, 4-5, 5-4, 5-6 illustration E-23 E-51 IDM exits 4GE bypass interface card described 1-13 1-6 E-19 anomaly detection disabling 4-3, 5-4 E-18 appl
Index applying software updates sessioning in E-52 ARC A-5 setup command blocking not occurring for signature device access issues E-41 time soruces B-17 1-23, E-15 ASA 5585-X E-39 enabling SSH E-41 cable pinouts 10BaseT inactive state E-37 slide rail kit hardware installation misconfigured master blocking sensor troubleshooting verifying device interfaces E-40 indicators described installing 8-5 interfaces 8-5 recovering E-61 requirements 8-7 8-4 9-2 A-6 session command se
Index ASA 5585-X SSP-40 with IPS SSP-40 described 9-3 memory requirements installing 5-29 RJ-45 to DB-9 F-3 cannot access sensor 9-3 memory requirements E-24 cidDump obtaining information 9-8 ASA IPS modules circuit breaker warning jumbo packet count E-11, E-12 asymmetric traffic and disabling anomaly detection attack responses for TCP resets authenticated NTP 6-20 E-18 default password A-2 default username A-2 Cisco.
Index copy license-key debug module-boot downgrade cryptographic account C-12 Encryption Software Export Distribution Authorization from C-2 E-59 D-10 erase license-key obtaining C-15 hw-module module 1 reset setup current configuration back up E-58 hw-module module slot_number password-reset E-102 show health E-81 E-89 show statistics virtual-sensor show tech-support E-9 password A-2 username A-2 accessing E-59 E-39 alternate TCP reset interface inline interface pairs inline VLAN
Index false positives E filtering electrical safety guidelines enabling debug logging 2-3 tuning IPS E-44 described C-2 fans (IPS 4270-20) errors (Analysis Engine) E-51 types 9-6 4-7 IPS 4345 6-6 IPS 4360 6-6 5-9 front panel switches E-103 IPS 4260 E-102 4-7 IPS 4270-20 Event Store 5-9 FTP servers and software updates clearing D-2 E-105 clearing events no alerts 1-24, E-16 G E-31 time stamp 1-24, E-16 global correlation examples ASA failover configuration license E-60
Index IPS 4270-20 described 5-6 link status changes and drops proper configuration health status display 4-5, 5-6 4-5, 5-6 E-81 HTTP/HTTPS servers supported 1-17 1-17 installation preparation 2-1 installer major version C-5 installer minor version C-5 installing D-2 hw-module module 1 reset command illustration supported sensors 4-6, 5-7, E-22 supported configurations with software bypass 4-6, 5-7, E-22 1-17 E-58 hw-module module slot_number password-reset command E-11 ASA 5500 A
Index command and control configuration restrictions described illustration 1-12 installation 1-4 TCP reset 3-8 rack mounting 1-4 support (table) 3-3 installing DC power supply 1-5, 1-6 slot numbers 3-3 indicators 1-4 port numbers sensing front panel 1-5 3-6 specifications 1-6 3-4 IPS 4240-DC 1-11 internal health information in the Diagnostic Panel introducing ASA 5500 AIP SSM 5-42 described 3-10 installing 3-11 IPS 4255 8-2 ASA 5585-X IPS SSP back panel (illustration)
Index power supply front panel 4-23 interface naming conventions network ports switches 4-2 password recovery performance indicators 4-4 hardware bypass installation 4-9 rack mounting fans interface cards power supply sensing interfaces 4-21 interface cards 5-43 power supplies 5-45 installing system image 4-2 interface naming conventions maximum rack depth supported interface cards network ports 4-3, 4-4 IPS 4270-20 performance 5-3 back panel features chassis cover removing 5-4
Index front panel (llustration) cable management brackets 6-5 front panel indicators described indicators 6-6 installation packing box contents password recovery power supplies OIR 6-17 7-18 7-18 7-18 front panel indicators D-16 described 6-2 7-4 illustration 7-4 front panel view 6-18 removing 6-18 back panel features 7-3 installing core IPS SSP 7-14 SFP/SFP+ modules 6-8 back panel features (illustration) connecting DC power supplies 6-22 installing system image Management 0/
Index removing core IPS SSP SFP ports packing box contents 7-14 password recovery 7-12 shutting down described 7-19 7-7 illustration 7-8 supported SFP+ modules supported SFP modules SwitchApp 7-6 power supply modules 7-11, 9-9 7-11, 9-9 7-34 IPS 4520 installing 7-16 removing 7-16 requirements back panel features rack mounting 7-6 back panel features (illustration) cable management brackets 7-6 reimaging SFP ports installing 7-32 shutting down SwitchApp 7-18 7-11, 9-9 7-11,
Index modes L IDS license key 1-1 inline interface pair installing C-12 inline VLAN pair obtaining C-9 IPS trial C-9 C-15 1-15 VLAN groups viewing status of C-9 1-17 1-1 promiscuous uninstalling 1-16 1-18 modules licensing ASA 5500 AIP SSM described C-9 ASA 5585-X IPS SSP IPS device serial number described N C-10 C-9 NTP logging in authenticated appliances A-2 described ASA 5500 AIP SSM A-4 1-23, E-14 1-23, E-15 incorrect configuration ASA 5500-X IPS SSP A-5 ti
Index IPS 4270-20 P hot-pluggable password recovery installing 5-45 appliances redundant 5-45 removing 5-45 E-8 ASA 5500-X IPS SSP E-9 ASA 5585-X IPS SSP E-11 CLI power supply guidelines E-13 2-6 power supply indicator described E-7 disabling E-13 displaying setting GRUB menu IPS 4260 5-45 E-13 6-17 IPS 4360 6-17 power supply indicators E-8 IPS 4260 E-8 IPS 4270-20 IPS 4345 4-9 IPS 4270-20 E-8 5-11 IPS 4510 7-6 IPS 4520 7-6 IPS 4345 E-8 IPS 4360 E-8 power supp
Index 4-post ASA 5585-X IPS SSP 4-11 IPS 4270-20 chassis cover (IPS 4260) extension 5-40 DC power supply (IPS 4360) 5-18 requirements 4-20 chassis cover (IPS 4270-20) 5-26 installation 6-25 last applied 5-17 IPS 4510 7-29 service pack IPS 4520 7-29 signature update racks D-10 D-10 replacing airflow requirements space requirements chassis cover 5-17 IPS 4260 5-17 rail system 4-20 IPS 4270-20 maximum rack depth 5-17 minimum rack depth 5-17 rack hole-types (illustration)
Index serial console port TFTP interface support D-12 IP address conflicts D-13 round-trip time. See RTT.
Index ASA 5500-X IPS SSP A-5 signature engine updates (illustration) ASA 5585-X IPS SSP A-6 system image (illustration) setting up terminal servers platform-dependent C-6 C-7 automatic B-2 platform identifiers command B-1, B-4, B-8, B-13, B-17, B-21 platform-independent supported FTP servers 9-4 SFP/SFP+ port (illustration) 9-12 SFP modules appliances 1-21 port issues E-29 specifications ASA 5500 AIP SSM 7-10, 9-4, 9-9 supported (table) 7-11, 9-9 SFP port (illustration) 7-12 sh
Index HTTP/HTTPS servers SwitchApp described TFTP servers D-2 recommended 7-34 Switched Port Analyzer see SPAN UNIX switches and TCP reset interfaces Windows 1-12 sw-module module slot_number password-reset command E-9 System Configuration Dialog described example D-13 RTT D-13 D-13 time correction on the sensor B-2 sensors B-2 1-24, E-16 1-23, E-14 time sources system images appliances installing ASA 5500-X IPS SSP D-22 ASA 5585-X IPS SSP D-23 IPS 4270-20 D-14 IPS 4345 D-16
Index cidLog messages to syslog communication upgrading E-49 verifying Analysis Engine is running E-23 corrupted SensorApp configuration debug logger zone names (table) debug logging Diagnostic Panel (IPS 4270-20) enabling debug logging gathering information global correlation 5-42 E-26 IPS 1-3 tips 1-3 U E-21 unassigned VLAN groups described E-80 unauthenticated NTP E-18 upgrade command cannot access sensor will not load E-55 E-57 application partition 1-23, E-15 manual block to
Index restrictions E-17 supported sensors E-17 traffic capture requirements E-17 VLAN groups 802.1q encapsulation 1-18 configuration restrictions deploying 1-18 described 1-18 switches 1-14 1-18 W warning circuit breaker 6-20 exposed DC wire 6-22 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.